Merge pull request #13 from 418sec/1-other-rc-zip

Security Fix for zip-slip - huntr.dev
bearcove · Feb 21, 2021 · d43c169 · d43c169
2 parents 66531c1 + 4e5c95f
commit d43c169
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/samples/jean/src/main.rs b/samples/jean/src/main.rs
@@ -221,13 +221,19 @@ fn do_main(matches: ArgMatches) -> Result<(), Box<dyn std::error::Error>> {
 
             let start_time = std::time::SystemTime::now();
             for entry in reader.entries() {
-                pbar.set_message(entry.name());
+                // sanitized `entry.name()` to mitigate zip slip
+                #[cfg(windows)]
+                let entry_name = entry.name().replace("..\\", "");
+                #[cfg(not(windows))]
+                let entry_name = entry.name().replace("../", "");
+
+                pbar.set_message(&entry_name);
                 match entry.contents() {
                     EntryContents::Symlink(c) => {
                         num_symlinks += 1;
                         #[cfg(windows)]
                         {
-                            let path = dir.join(c.entry.name());
+                            let path = dir.join(entry_name);
                             std::fs::create_dir_all(
                                 path.parent()
                                     .expect("all full entry paths should have parent paths"),
@@ -241,7 +247,7 @@ fn do_main(matches: ArgMatches) -> Result<(), Box<dyn std::error::Error>> {
 
                         #[cfg(not(windows))]
                         {
-                            let path = dir.join(c.entry.name());
+                            let path = dir.join(entry_name);
                             std::fs::create_dir_all(
                                 path.parent()
                                     .expect("all full entry paths should have parent paths"),
@@ -259,17 +265,17 @@ fn do_main(matches: ArgMatches) -> Result<(), Box<dyn std::error::Error>> {
                             std::os::unix::fs::symlink(src, &path)?;
                         }
                     }
-                    EntryContents::Directory(c) => {
+                    EntryContents::Directory(_c) => {
                         num_dirs += 1;
-                        let path = dir.join(c.entry.name());
+                        let path = dir.join(entry_name);
                         std::fs::create_dir_all(
                             path.parent()
                                 .expect("all full entry paths should have parent paths"),
                         )?;
                     }
                     EntryContents::File(c) => {
                         num_files += 1;
-                        let path = dir.join(c.entry.name());
+                        let path = dir.join(entry_name);
                         std::fs::create_dir_all(
                             path.parent()
                                 .expect("all full entry paths should have parent paths"),