fix: optimized archive extraction path traversal checks

cyberchen1995 · cyberchen1995 · commit 6c84bd5f90e2 · 2026-03-19T17:27:03.000+08:00
diff --git a/opensca/walk/path.go b/opensca/walk/path.go
@@ -0,0 +1,27 @@
+package walk
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+)
+
+func resolveExtractPath(output, entry string) (string, error) {
+	if filepath.IsAbs(entry) {
+		return "", fmt.Errorf("invalid file path: %s", entry)
+	}
+
+	base := filepath.Clean(output)
+	target := filepath.Join(base, entry)
+
+	rel, err := filepath.Rel(base, target)
+	if err != nil {
+		return "", err
+	}
+
+	if rel == ".." || strings.HasPrefix(rel, ".."+string(filepath.Separator)) {
+		return "", fmt.Errorf("invalid file path: %s", entry)
+	}
+
+	return target, nil
+}
