From 46722dde964fdf3ea510b54d46b5b4f75cd4dbb3 Mon Sep 17 00:00:00 2001
From: Rick <1450685+LinuxSuRen@users.noreply.github.com>
Date: Thu, 6 Mar 2025 09:27:09 +0800
Subject: [PATCH] Potential fix for code scanning alert no. 69: Arbitrary file
 access during archive extraction ("Zip Slip")

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Rick <1450685+LinuxSuRen@users.noreply.github.com>
---
 pkg/apispec/remote_swagger.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkg/apispec/remote_swagger.go b/pkg/apispec/remote_swagger.go
index 3a0be27..4504e78 100644
--- a/pkg/apispec/remote_swagger.go
+++ b/pkg/apispec/remote_swagger.go
@@ -27,6 +27,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
 )
 
 func DownloadSwaggerData(output string, dw downloader.PlatformAwareOCIDownloader) (err error) {
@@ -106,6 +107,12 @@ func decompressData(dataFile string) (err error) {
 			panic(err)
 		}
 
+		// Ensure the file path does not contain directory traversal sequences
+		if strings.Contains(header.Name, "..") {
+			fmt.Printf("Skipping entry with unsafe path: %s\n", header.Name)
+			continue
+		}
+
 		destPath := filepath.Join(filepath.Dir(dataFile), filepath.Base(header.Name))
 
 		switch header.Typeflag {