release v1.3.4

fix: issue#62: fix ZipSlip bug
2026-02-05 05:12:26 +08:00 · 2022-11-17 16:14:42 +08:00 · 2022-11-17 16:14:03 +08:00
3 changed files with 19 additions and 3 deletions
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
 <br/>

 ![Go version](https://img.shields.io/badge/go-v1.16-9cf)
-[![Release](https://img.shields.io/badge/release-1.3.3-green.svg)](https://github.com/duke-git/lancet/releases)
+[![Release](https://img.shields.io/badge/release-1.3.4-green.svg)](https://github.com/duke-git/lancet/releases)
 [![GoDoc](https://godoc.org/github.com//duke-git/lancet?status.svg)](https://pkg.go.dev/github.com/duke-git/lancet)
 [![Go Report Card](https://goreportcard.com/badge/github.com/duke-git/lancet)](https://goreportcard.com/report/github.com/duke-git/lancet)
 [![test](https://github.com/duke-git/lancet/actions/workflows/codecov.yml/badge.svg?branch=main&event=push)](https://github.com/duke-git/lancet/actions/workflows/codecov.yml)
--- a/README_zh-CN.md
+++ b/README_zh-CN.md
@@ -4,7 +4,7 @@
 <br/>

 ![Go version](https://img.shields.io/badge/go-v1.16-9cf)
-[![Release](https://img.shields.io/badge/release-1.3.3-green.svg)](https://github.com/duke-git/lancet/releases)
+[![Release](https://img.shields.io/badge/release-1.3.4-green.svg)](https://github.com/duke-git/lancet/releases)
 [![GoDoc](https://godoc.org/github.com//duke-git/lancet?status.svg)](https://pkg.go.dev/github.com/duke-git/lancet)
 [![Go Report Card](https://goreportcard.com/badge/github.com/duke-git/lancet)](https://goreportcard.com/report/github.com/duke-git/lancet)
 [![test](https://github.com/duke-git/lancet/actions/workflows/codecov.yml/badge.svg?branch=main&event=push)](https://github.com/duke-git/lancet/actions/workflows/codecov.yml)
--- a/fileutil/file.go
+++ b/fileutil/file.go
@@ -8,6 +8,7 @@ import (
 	"archive/zip"
 	"bufio"
 	"errors"
+	"fmt"
 	"io"
 	"io/fs"
 	"io/ioutil"
@@ -220,7 +221,11 @@ func UnZip(zipFile string, destPath string) error {
 	defer zipReader.Close()

 	for _, f := range zipReader.File {
-		path := filepath.Join(destPath, f.Name)
+		//issue#62: fix ZipSlip bug
+		path, err := safeFilepathJoin(destPath, f.Name)
+		if err != nil {
+			return err
+		}
 		if f.FileInfo().IsDir() {
 			os.MkdirAll(path, os.ModePerm)
 		} else {
@@ -249,6 +254,17 @@ func UnZip(zipFile string, destPath string) error {
 	return nil
 }

+func safeFilepathJoin(path1, path2 string) (string, error) {
+	relPath, err := filepath.Rel(".", path2)
+	if err != nil || strings.HasPrefix(relPath, "..") {
+		return "", fmt.Errorf("(zipslip) filepath is unsafe %q: %v", path2, err)
+	}
+	if path1 == "" {
+		path1 = "."
+	}
+	return filepath.Join(path1, filepath.Join("/", relPath)), nil
+}
+
 // IsLink checks if a file is symbol link or not
 func IsLink(path string) bool {
 	fi, err := os.Lstat(path)
Author	SHA1	Message	Date
dudaodong	279d0754ba	release v1.3.4	2022-11-17 16:14:42 +08:00
dudaodong	f133b32faa	fix: issue#62: fix ZipSlip bug	2022-11-17 16:14:03 +08:00