fix(utils): avoid zip slip vulnerability

vimiix · Jun 12, 2024 · 1c05f17 · 1c05f17
1 parent bb268b4
commit 1c05f17
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/internal/utils/utils.go b/internal/utils/utils.go
@@ -17,6 +17,7 @@ import (
 	"github.com/denisbrodbeck/machineid"
 	"github.com/pkg/errors"
 	"github.com/vimiix/ssx/internal/file"
+	"github.com/vimiix/ssx/internal/lg"
 	"github.com/vimiix/ssx/ssx/env"
 )
 
@@ -198,6 +199,11 @@ func Untar(tarPath string, targetDir string, filenames ...string) error {
 		case header == nil:
 			continue
 		}
+		if strings.Contains(header.Name, "..") {
+			// code scanning: https://github.com/vimiix/ssx/security/code-scanning/3
+			lg.Warn("ignore file %s due to zip slip vulnerability", header.Name)
+			continue
+		}
 
 		// the target location where the dir/file should be created
 		target := filepath.Join(targetDir, filepath.FromSlash(header.Name))