From 06c83dce0d6a67342dbba61611bd4490ecdeffde Mon Sep 17 00:00:00 2001
From: Slug-Boi <github.unshipped609@slmail.me>
Date: Thu, 28 Nov 2024 13:40:18 +0100
Subject: [PATCH] fix: zip slip issue

---
 src/cmd/update.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/cmd/update.go b/src/cmd/update.go
index cdd3e92..cc18a4b 100644
--- a/src/cmd/update.go
+++ b/src/cmd/update.go
@@ -12,6 +12,7 @@ import (
 	"path/filepath"
 	"regexp"
 	"runtime"
+	"strings"
 
 	"github.com/spf13/cobra"
 )
@@ -171,9 +172,10 @@ func unzipper(dst string, r io.Reader) error {
 		// the target location where the dir/file should be created
 		target := filepath.Join(dst, header.Name)
 
-		// the following switch could also be done using fi.Mode(), not sure if there
-		// a benefit of using one vs. the other.
-		// fi := header.FileInfo()
+		 // ensure the target path is within the destination directory
+        if !strings.HasPrefix(target, filepath.Clean(dst)+string(os.PathSeparator)) {
+            return fmt.Errorf("illegal file path: %s", target)
+        }
 
 		// check the file type
 		switch header.Typeflag {