git/lancet
1
0
Fork 0
mirror of https://github.com/duke-git/lancet.git synced 2026-02-23 13:52:26 +08:00
Code Issues Projects Releases Wiki Activity

fix: issue#62: fix ZipSlip bug

Browse Source
This commit is contained in:
dudaodong
2022-11-16 15:08:42 +08:00
parent 81efa800ea
commit be000a4bd6
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
fileutil/file.go
View File

@@ -8,6 +8,7 @@ import (
"archive/zip" "archive/zip"
"bufio" "bufio"
"errors" "errors"
"fmt"
"io" "io"
"io/fs" "io/fs"
"io/ioutil" "io/ioutil"
@@ -213,6 +214,8 @@ func Zip(fpath string, destPath string) error {
// UnZip unzip the file and save it to destPath // UnZip unzip the file and save it to destPath
func UnZip(zipFile string, destPath string) error { func UnZip(zipFile string, destPath string) error {
destPath = filepath.Clean(destPath) + string(os.PathSeparator)
zipReader, err := zip.OpenReader(zipFile) zipReader, err := zip.OpenReader(zipFile)
if err != nil { if err != nil {
return err return err
@@ -221,6 +224,12 @@ func UnZip(zipFile string, destPath string) error {
for _, f := range zipReader.File { for _, f := range zipReader.File {
path := filepath.Join(destPath, f.Name) path := filepath.Join(destPath, f.Name)
//issue#62: fix ZipSlip bug
if !strings.HasPrefix(path, destPath) {
return fmt.Errorf("%s: illegal file path", path)
}
if f.FileInfo().IsDir() { if f.FileInfo().IsDir() {
os.MkdirAll(path, os.ModePerm) os.MkdirAll(path, os.ModePerm)
} else { } else {