kyfx
/
api-testing
mirror of https://github.com/LinuxSuRen/api-testing.git
5
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Potential fix for code scanning alert no. 69: Arbitrary file access during archive extraction ("Zip Slip") 

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Rick <1450685+LinuxSuRen@users.noreply.github.com>
This commit is contained in:
Rick 2025-03-06 09:27:09 +08:00 committed by GitHub
parent 0d30d5e6cc
commit 46722dde96
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/apispec/remote_swagger.go
View File

@ -27,6 +27,7 @@ import (
"net/http" "net/http"
"os" "os"
"path/filepath" "path/filepath"
"strings"
) )
func DownloadSwaggerData(output string, dw downloader.PlatformAwareOCIDownloader) (err error) { func DownloadSwaggerData(output string, dw downloader.PlatformAwareOCIDownloader) (err error) {
@ -106,6 +107,12 @@ func decompressData(dataFile string) (err error) {
panic(err) panic(err)
} }
// Ensure the file path does not contain directory traversal sequences
if strings.Contains(header.Name, "..") {
fmt.Printf("Skipping entry with unsafe path: %s\n", header.Name)
continue
}
destPath := filepath.Join(filepath.Dir(dataFile), filepath.Base(header.Name)) destPath := filepath.Join(filepath.Dir(dataFile), filepath.Base(header.Name))
switch header.Typeflag { switch header.Typeflag {