github_mirrors/go-zero
1
0
Fork 0
mirror of https://github.com/zeromicro/go-zero.git synced 2025-02-03 00:38:40 +08:00
Code Issues Packages Projects Releases Wiki Activity

Potential fix for code scanning alert no. 57: Arbitrary file access during archive extraction ("Zip Slip") (#4604)

Browse Source 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This commit is contained in:
Kevin Wan 2025-01-27 11:53:35 +08:00 committed by GitHub
parent a32f6d7642
commit c71829c8de
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
tools/goctl/util/zipx/zipx.go
View File

@ -2,9 +2,11 @@ package zipx
import (
"archive/zip"
"fmt"
"io"
"os"
"path/filepath"
"strings"
"github.com/zeromicro/go-zero/tools/goctl/util/pathx"
)
@ -39,6 +41,12 @@ func fileCopy(file *zip.File, destPath string) error {
return err
}
defer rc.Close()
// Ensure the file path does not contain directory traversal elements
if strings.Contains(file.Name, "..") {
return fmt.Errorf("invalid file path: %s", file.Name)
}
abs, err := filepath.Abs(file.Name)
if err != nil {
return err