Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #1 from snoopysecurity/fix/santize-filename-paths
fix: sanitize filepath names
  • Loading branch information
yi-ge committed Mar 8, 2020
2 parents cc5a75e + f61aa05 commit 2adbaa4
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions unzip.go
Expand Up @@ -12,6 +12,8 @@ import (
"path/filepath"
"runtime"
"time"
"strings"
"fmt"
)

var (
Expand Down Expand Up @@ -120,6 +122,9 @@ func (uz Unzip) Extract() error {
}()

path := filepath.Join(uz.Dest, f.Name)
if !strings.HasPrefix(path, filepath.Clean(uz.Dest)+string(os.PathSeparator)) {
return fmt.Errorf("%s: illegal file path", path)
}

if f.FileInfo().IsDir() {
os.MkdirAll(path, f.Mode())
Expand Down

0 comments on commit 2adbaa4

Please sign in to comment.