From be000a4bd6fa8a6e2f678f6b174300b1e9132592 Mon Sep 17 00:00:00 2001
From: dudaodong <lanliddd.2007@163.com>
Date: Wed, 16 Nov 2022 15:08:42 +0800
Subject: [PATCH] fix: issue#62: fix ZipSlip bug

---
 fileutil/file.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fileutil/file.go b/fileutil/file.go
index c67e564..743bbae 100644
--- a/fileutil/file.go
+++ b/fileutil/file.go
@@ -8,6 +8,7 @@ import (
 	"archive/zip"
 	"bufio"
 	"errors"
+	"fmt"
 	"io"
 	"io/fs"
 	"io/ioutil"
@@ -213,6 +214,8 @@ func Zip(fpath string, destPath string) error {
 
 // UnZip unzip the file and save it to destPath
 func UnZip(zipFile string, destPath string) error {
+	destPath = filepath.Clean(destPath) + string(os.PathSeparator)
+
 	zipReader, err := zip.OpenReader(zipFile)
 	if err != nil {
 		return err
@@ -221,6 +224,12 @@ func UnZip(zipFile string, destPath string) error {
 
 	for _, f := range zipReader.File {
 		path := filepath.Join(destPath, f.Name)
+
+		//issue#62: fix ZipSlip bug
+		if !strings.HasPrefix(path, destPath) {
+			return fmt.Errorf("%s: illegal file path", path)
+		}
+
 		if f.FileInfo().IsDir() {
 			os.MkdirAll(path, os.ModePerm)
 		} else {