Slug.Boi/cocommit
1
0
Fork 0
mirror of https://github.com/Slug-Boi/cocommit.git synced 2026-05-13 12:45:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: zip slip issue

Browse Source
This commit is contained in:
Slug-Boi
2024-11-28 13:40:18 +01:00
parent d90ab2d809
commit 06c83dce0d
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/cmd/update.go
+5 -3
View File
@@ -12,6 +12,7 @@ import (
"path/filepath" "path/filepath"
"regexp" "regexp"
"runtime" "runtime"
"strings"
"github.com/spf13/cobra" "github.com/spf13/cobra"
) )
@@ -171,9 +172,10 @@ func unzipper(dst string, r io.Reader) error {
// the target location where the dir/file should be created // the target location where the dir/file should be created
target := filepath.Join(dst, header.Name) target := filepath.Join(dst, header.Name)
// the following switch could also be done using fi.Mode(), not sure if there // ensure the target path is within the destination directory
// a benefit of using one vs. the other. if !strings.HasPrefix(target, filepath.Clean(dst)+string(os.PathSeparator)) {
// fi := header.FileInfo() return fmt.Errorf("illegal file path: %s", target)
}
// check the file type // check the file type
switch header.Typeflag { switch header.Typeflag {