fix: issue#62: fix ZipSlip bug

SECURITY.md

@@ -0,0 +1,15 @@
+# Security Policy
+
+## Supported Versions
+Here is the lancet version and compatibility with go language version.
+
+| Version | Supported         |
+| ------- | ------------------|
+| 2.x.x   | +go v1.18         |
+| 1.x.x   | +go v1.12         |
+
+
+## Reporting a Vulnerability
+
+For now, there is no public website to report a vulnerability, If you find security issue in lancet, you can send it to me via my email `lanliddd.2007@163.com`.
+we can discuss it. I am appreciate if someone can create a public page for reporting vulnerability.

fileutil/file.go

@@ -8,6 +8,7 @@ import (
 	"archive/zip"
 	"bufio"
 	"errors"
+	"fmt"
 	"io"
 	"io/fs"
 	"io/ioutil"
@@ -213,6 +214,7 @@ func Zip(fpath string, destPath string) error {
 
 // UnZip unzip the file and save it to destPath
 func UnZip(zipFile string, destPath string) error {
+
 	zipReader, err := zip.OpenReader(zipFile)
 	if err != nil {
 		return err
@@ -221,6 +223,13 @@ func UnZip(zipFile string, destPath string) error {
 
 	for _, f := range zipReader.File {
 		path := filepath.Join(destPath, f.Name)
+
+		//issue#62: fix ZipSlip bug
+		path, err := safeFilepathJoin(destPath, f.Name)
+		if err != nil {
+			return err
+		}
+
 		if f.FileInfo().IsDir() {
 			os.MkdirAll(path, os.ModePerm)
 		} else {
@@ -249,6 +258,17 @@ func UnZip(zipFile string, destPath string) error {
 	return nil
 }
 
+func safeFilepathJoin(path1, path2 string) (string, error) {
+	relPath, err := filepath.Rel(".", path2)
+	if err != nil || strings.HasPrefix(relPath, "..") {
+		return "", fmt.Errorf("(zipslip) filepath is unsafe %q: %v", path2, err)
+	}
+	if path1 == "" {
+		path1 = "."
+	}
+	return filepath.Join(path1, filepath.Join("/", relPath)), nil
+}
+
 // IsLink checks if a file is symbol link or not
 func IsLink(path string) bool {
 	fi, err := os.Lstat(path)