node/nvm-windows
1
0
Fork 0
mirror of https://github.com/coreybutler/nvm-windows.git synced 2026-01-14 07:03:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix code scanning alert no. 2: Arbitrary file access during archive extraction ("Zip Slip")

Browse Source 
Prevent zip extraction from processing arbitrary files.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This commit is contained in:
Corey Butler
2025-01-03 21:25:16 -06:00
committed by GitHub
parent f538704ab5
commit 9f653a2ce6
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/upgrade/upgrade.go
View File

@@ -845,6 +845,11 @@ func unzip(src string, dest string) error {
// Build the path for each file in the destination directory
fpath := filepath.Join(dest, f.Name)
// Validate the file path to prevent directory traversal
if strings.Contains(f.Name, "..") {
return fmt.Errorf("invalid file path: %s", f.Name)
}
// Check if the file is a directory
if f.FileInfo().IsDir() {
// Create directory if it doesn't exist