fz0x1/Picocrypt
1
0
Fork 0
mirror of https://github.com/Picocrypt/Picocrypt.git synced 2025-05-12 21:58:31 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

return err on ".." in zip item file path

Browse source 
Unlikely to happen since go stdlib zip doesn't do it, so if it does happen, better safe than sorry.
This commit is contained in:
Evan Su 2025-01-27 01:12:14 -05:00
parent a929eb1037
commit 47b65d6fe0
1 changed files with 9 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/Picocrypt.go
View file

@ -2388,7 +2388,10 @@ func unpackArchive(zipPath string) error {
startTime := time.Now() startTime := time.Now()
for _, f := range reader.File { for _, f := range reader.File {
outPath := filepath.Join(extractDir, filepath.Clean(strings.ReplaceAll(f.Name, "\\", "/"))) if strings.Contains(f.Name, "..") {
return errors.New("potentially malicious zip item path")
}
outPath := filepath.Join(extractDir, f.Name)
// Make directory if current entry is a folder // Make directory if current entry is a folder
if f.FileInfo().IsDir() { if f.FileInfo().IsDir() {
@ -2399,12 +2402,16 @@ func unpackArchive(zipPath string) error {
} }
for i, f := range reader.File { for i, f := range reader.File {
if strings.Contains(f.Name, "..") {
return errors.New("potentially malicious zip item path")
}
// Already handled above // Already handled above
if f.FileInfo().IsDir() { if f.FileInfo().IsDir() {
continue continue
} }
outPath := filepath.Join(extractDir, filepath.Clean(strings.ReplaceAll(f.Name, "\\", "/"))) outPath := filepath.Join(extractDir, f.Name)
// Otherwise create necessary parent directories // Otherwise create necessary parent directories
if err := os.MkdirAll(filepath.Dir(outPath), 0755); err != nil { if err := os.MkdirAll(filepath.Dir(outPath), 0755); err != nil {