From c71829c8debbaa730aed924a3ac702e32842c49a Mon Sep 17 00:00:00 2001
From: Kevin Wan <wanjunfeng@gmail.com>
Date: Mon, 27 Jan 2025 11:53:35 +0800
Subject: [PATCH] Potential fix for code scanning alert no. 57: Arbitrary file
 access during archive extraction ("Zip Slip") (#4604)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 tools/goctl/util/zipx/zipx.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tools/goctl/util/zipx/zipx.go b/tools/goctl/util/zipx/zipx.go
index 0071150d..e41d42d8 100644
--- a/tools/goctl/util/zipx/zipx.go
+++ b/tools/goctl/util/zipx/zipx.go
@@ -2,9 +2,11 @@ package zipx
 
 import (
 	"archive/zip"
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/zeromicro/go-zero/tools/goctl/util/pathx"
 )
@@ -39,6 +41,12 @@ func fileCopy(file *zip.File, destPath string) error {
 		return err
 	}
 	defer rc.Close()
+
+	// Ensure the file path does not contain directory traversal elements
+	if strings.Contains(file.Name, "..") {
+		return fmt.Errorf("invalid file path: %s", file.Name)
+	}
+
 	abs, err := filepath.Abs(file.Name)
 	if err != nil {
 		return err