zlei6/go-zero
1
0
Fork 0
mirror of https://github.com/zeromicro/go-zero.git synced 2026-05-13 09:50:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

Potential fix for code scanning alert no. 57: Arbitrary file access during archive extraction ("Zip Slip") (#4604)

Browse Source 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This commit is contained in:
Kevin Wan
2025-01-27 11:53:35 +08:00
committed by GitHub
parent a32f6d7642
commit c71829c8de
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tools/goctl/util/zipx/zipx.go
View File

@@ -2,9 +2,11 @@ package zipx
import ( import (
"archive/zip" "archive/zip"
"fmt"
"io" "io"
"os" "os"
"path/filepath" "path/filepath"
"strings"
"github.com/zeromicro/go-zero/tools/goctl/util/pathx" "github.com/zeromicro/go-zero/tools/goctl/util/pathx"
) )
@@ -39,6 +41,12 @@ func fileCopy(file *zip.File, destPath string) error {
return err return err
} }
defer rc.Close() defer rc.Close()
// Ensure the file path does not contain directory traversal elements
if strings.Contains(file.Name, "..") {
return fmt.Errorf("invalid file path: %s", file.Name)
}
abs, err := filepath.Abs(file.Name) abs, err := filepath.Abs(file.Name)
if err != nil { if err != nil {
return err return err