Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: issue#62: fix ZipSlip bug
  • Loading branch information
duke-git committed Nov 17, 2022
1 parent b98d5ed commit f133b32
Showing 1 changed file with 17 additions and 1 deletion.
18 changes: 17 additions & 1 deletion fileutil/file.go
Expand Up @@ -8,6 +8,7 @@ import (
"archive/zip"
"bufio"
"errors"
"fmt"
"io"
"io/fs"
"io/ioutil"
Expand Down Expand Up @@ -220,7 +221,11 @@ func UnZip(zipFile string, destPath string) error {
defer zipReader.Close()

for _, f := range zipReader.File {
path := filepath.Join(destPath, f.Name)
//issue#62: fix ZipSlip bug
path, err := safeFilepathJoin(destPath, f.Name)
if err != nil {
return err
}
if f.FileInfo().IsDir() {
os.MkdirAll(path, os.ModePerm)
} else {
Expand Down Expand Up @@ -249,6 +254,17 @@ func UnZip(zipFile string, destPath string) error {
return nil
}

func safeFilepathJoin(path1, path2 string) (string, error) {
relPath, err := filepath.Rel(".", path2)
if err != nil || strings.HasPrefix(relPath, "..") {
return "", fmt.Errorf("(zipslip) filepath is unsafe %q: %v", path2, err)
}
if path1 == "" {
path1 = "."
}
return filepath.Join(path1, filepath.Join("/", relPath)), nil
}

// IsLink checks if a file is symbol link or not
func IsLink(path string) bool {
fi, err := os.Lstat(path)
Expand Down

0 comments on commit f133b32

Please sign in to comment.