git/lancet
1
0
Fork 0
mirror of https://github.com/duke-git/lancet.git synced 2026-02-16 18:52:27 +08:00
Code Issues Projects Releases Wiki Activity

fix: issue#62: fix ZipSlip bug

Browse Source
This commit is contained in:
dudaodong
2022-11-16 16:04:38 +08:00
parent be000a4bd6
commit f869a0a670
1 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
fileutil/file.go
View File

@@ -214,7 +214,6 @@ func Zip(fpath string, destPath string) error {
// UnZip unzip the file and save it to destPath // UnZip unzip the file and save it to destPath
func UnZip(zipFile string, destPath string) error { func UnZip(zipFile string, destPath string) error {
destPath = filepath.Clean(destPath) + string(os.PathSeparator)
zipReader, err := zip.OpenReader(zipFile) zipReader, err := zip.OpenReader(zipFile)
if err != nil { if err != nil {
@@ -226,8 +225,9 @@ func UnZip(zipFile string, destPath string) error {
path := filepath.Join(destPath, f.Name) path := filepath.Join(destPath, f.Name)
//issue#62: fix ZipSlip bug //issue#62: fix ZipSlip bug
if !strings.HasPrefix(path, destPath) { path, err := safeFilepathJoin(destPath, f.Name)
return fmt.Errorf("%s: illegal file path", path) if err != nil {
return err
} }
if f.FileInfo().IsDir() { if f.FileInfo().IsDir() {
@@ -258,6 +258,17 @@ func UnZip(zipFile string, destPath string) error {
return nil return nil
} }
func safeFilepathJoin(path1, path2 string) (string, error) {
relPath, err := filepath.Rel(".", path2)
if err != nil || strings.HasPrefix(relPath, "..") {
return "", fmt.Errorf("(zipslip) filepath is unsafe %q: %v", path2, err)
}
if path1 == "" {
path1 = "."
}
return filepath.Join(path1, filepath.Join("/", relPath)), nil
}
// IsLink checks if a file is symbol link or not // IsLink checks if a file is symbol link or not
func IsLink(path string) bool { func IsLink(path string) bool {
fi, err := os.Lstat(path) fi, err := os.Lstat(path)