fix: Potential fix for code scanning alert no. 6: Arbitrary file access during archive extraction ("Zip Slip") (#52)

Signed-off-by: 梦里不知身是客 <liang.tang.cx@gmail.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: unknowIfGuestInDream

bundles/com.tlcsdm.eclipse.rcp.example.python3.win32.x86_64/src/com/tlcsdm/eclipse/rcp/example/python3/Activator.java

@@ -88,6 +88,7 @@ private static void install() throws IOException, URISyntaxException {
         Path target = installDir.resolve("runtimes/python");
         // 确保目标目录存在，即使 runtimes 或 python 文件夹不存在
         Files.createDirectories(target);
+        Path normalizedTarget = target.toAbsolutePath().normalize();
 
         // 2. 检查是否已经安装过
         Path pythonExe = target.resolve("python.exe");
@@ -103,7 +104,10 @@ private static void install() throws IOException, URISyntaxException {
 
                 ZipEntry entry;
                 while ((entry = zis.getNextEntry()) != null) {
-                    Path filePath = target.resolve(entry.getName());
+                    Path filePath = normalizedTarget.resolve(entry.getName()).normalize();
+                    if (!filePath.startsWith(normalizedTarget)) {
+                        throw new IOException("Bad zip entry: " + entry.getName());
+                    }
                     if (entry.isDirectory()) {
                         Files.createDirectories(filePath);
                     } else {