Skip to content

Commit 2bf95a6

Browse files
cyberchen1995cyberchen1995
committed
fix: optimized archive extraction path traversal checks
1 parent 453c669 commit 2bf95a6

1 file changed

Lines changed: 31 additions & 0 deletions

File tree

opensca/walk/path.go

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
package walk
2+
3+
import (
4+
"fmt"
5+
"path/filepath"
6+
"strings"
7+
)
8+
9+
func resolveExtractPath(base, entry string) (string, error) {
10+
normalized := strings.ReplaceAll(entry, "\\", string(filepath.Separator))
11+
cleaned := filepath.Clean(normalized)
12+
if cleaned == "." || cleaned == "" {
13+
return "", fmt.Errorf("invalid archive entry path %q", entry)
14+
}
15+
16+
if filepath.IsAbs(cleaned) {
17+
return "", fmt.Errorf("archive entry path %q is absolute", entry)
18+
}
19+
20+
target := filepath.Join(base, cleaned)
21+
rel, err := filepath.Rel(base, target)
22+
if err != nil {
23+
return "", err
24+
}
25+
26+
if rel == ".." || strings.HasPrefix(rel, ".."+string(filepath.Separator)) {
27+
return "", fmt.Errorf("archive entry path %q escapes target directory", entry)
28+
}
29+
30+
return target, nil
31+
}

0 commit comments

Comments
 (0)