Skip to content

Commit

Permalink
archive: Prevent zip slip during extraction
Browse files Browse the repository at this point in the history
  • Loading branch information
jmooring authored Sep 9, 2023
1 parent 96eaa32 commit 84e2963
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 1 deletion.
6 changes: 6 additions & 0 deletions archive/extract_targz.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,12 @@ import (
"archive/tar"
"bufio"
"compress/gzip"
"fmt"
"io"
"log"
"os"
"path/filepath"
"strings"
)

// extractTarGZ extracts a gzipped tarball (src) to the dst directory.
Expand Down Expand Up @@ -55,6 +57,10 @@ func extractTarGZ(src string, dst string) error {
continue
}

if strings.Contains(th.Name, "..") {
return fmt.Errorf("detected unsafe file in archive (zip slip)")
}

target := filepath.Join(dst, th.Name)

switch th.Typeflag {
Expand Down
6 changes: 6 additions & 0 deletions archive/extract_zip.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,12 @@ package archive

import (
"archive/zip"
"fmt"
"io"
"log"
"os"
"path/filepath"
"strings"
)

// extractZip extracts a zip file (src) to the dst directory.
Expand All @@ -32,6 +34,10 @@ func extractZip(src string, dst string) error {
defer zrc.Close()

for _, f := range zrc.File {
if strings.Contains(f.Name, "..") {
return fmt.Errorf("detected unsafe file in archive (zip slip)")
}

target := filepath.Join(dst, f.Name)

if f.FileInfo().IsDir() {
Expand Down
2 changes: 1 addition & 1 deletion cmd/use.go
Original file line number Diff line number Diff line change
Expand Up @@ -335,7 +335,7 @@ func (a *asset) downloadAsset() error {
}
}

// Writer the body to file
// Write the body to file.
_, err = io.Copy(out, resp.Body)
if err != nil {
return err
Expand Down

0 comments on commit 84e2963

Please sign in to comment.