From 6b9a2141991cf00e3605a5d1a9522c2affca38db Mon Sep 17 00:00:00 2001 From: Mufeed VH Date: Thu, 11 Feb 2021 23:11:31 +0530 Subject: [PATCH] Added zip slip mitigation --- samples/jean/src/main.rs | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/samples/jean/src/main.rs b/samples/jean/src/main.rs index 063767a..4fabe14 100644 --- a/samples/jean/src/main.rs +++ b/samples/jean/src/main.rs @@ -221,13 +221,19 @@ fn do_main(matches: ArgMatches) -> Result<(), Box> { let start_time = std::time::SystemTime::now(); for entry in reader.entries() { - pbar.set_message(entry.name()); + // sanitized `entry.name()` to mitigate zip slip + #[cfg(windows)] + let entry_name = entry.name().replace("..\\", ""); + #[cfg(not(windows))] + let entry_name = entry.name().replace("../", ""); + + pbar.set_message(&entry_name); match entry.contents() { EntryContents::Symlink(c) => { num_symlinks += 1; #[cfg(windows)] { - let path = dir.join(c.entry.name()); + let path = dir.join(entry_name); std::fs::create_dir_all( path.parent() .expect("all full entry paths should have parent paths"), @@ -241,7 +247,7 @@ fn do_main(matches: ArgMatches) -> Result<(), Box> { #[cfg(not(windows))] { - let path = dir.join(c.entry.name()); + let path = dir.join(entry_name); std::fs::create_dir_all( path.parent() .expect("all full entry paths should have parent paths"), @@ -259,9 +265,9 @@ fn do_main(matches: ArgMatches) -> Result<(), Box> { std::os::unix::fs::symlink(src, &path)?; } } - EntryContents::Directory(c) => { + EntryContents::Directory(_c) => { num_dirs += 1; - let path = dir.join(c.entry.name()); + let path = dir.join(entry_name); std::fs::create_dir_all( path.parent() .expect("all full entry paths should have parent paths"), @@ -269,7 +275,7 @@ fn do_main(matches: ArgMatches) -> Result<(), Box> { } EntryContents::File(c) => { num_files += 1; - let path = dir.join(c.entry.name()); + let path = dir.join(entry_name); std::fs::create_dir_all( path.parent() .expect("all full entry paths should have parent paths"),