Merge pull request #2 from snoopysecurity/fix/santize-filename-paths

fix: sanitize filepath names
artdarek · Mar 8, 2020 · 4975cbe · 4975cbe
2 parents 33dc051 + 473b413
commit 4975cbe
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/unzip.go b/unzip.go
@@ -6,6 +6,7 @@ import (
 	"path/filepath"
 	"io"
 	"fmt"
+	"strings"
 )
 
 type Unzip struct {
@@ -46,6 +47,9 @@ func (uz Unzip) Extract() error {
 		}()
 
 		path := filepath.Join(uz.Dest, f.Name)
+		if !strings.HasPrefix(path, filepath.Clean(uz.Dest)+string(os.PathSeparator)) {
+            return fmt.Errorf("%s: Illegal file path", path)
+        }
 
 		if f.FileInfo().IsDir() {
 			os.MkdirAll(path, f.Mode())