lib/os: check for extract path in untar and unzip

Once we Join-ed the directory output with the file name, we check if the result of join is still under directory output, if its not, return an error to prevent Zip Slip vulnerability [1]. [1] https://cwe.mitre.org/data/definitions/22.html
author: Shulhan <ms@kilabit.info> 2023-07-23 15:44:13 +0700
committer: Shulhan <ms@kilabit.info> 2023-07-23 15:44:13 +0700
commit: 3e4da8e2369d37c91249d5a53cf8be94490c7cf2 (patch)
tree: 577fc4348c0b27c74894b5eb83f58c37cec43d29
parent: 482ba1feeb80112c82a2ec22bde67cb27f2a8f41 (diff)
download: pakakeh.go-3e4da8e2369d37c91249d5a53cf8be94490c7cf2.tar.xz
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/os/extract.go b/lib/os/extract.go
index 324dd3c2..becead88 100644
--- a/lib/os/extract.go
+++ b/lib/os/extract.go
@@ -322,6 +322,10 @@ func (xtrk *extractor) untar(fin io.Reader) (err error) {
 		fi = hdr.FileInfo()
 		filePath = filepath.Join(xtrk.dirOutput, hdr.Name)
 
+		if !strings.HasPrefix(filePath, xtrk.dirOutput) {
+			return fmt.Errorf(`%s: extract path outside of output directory`, logp)
+		}
+
 		if fi.IsDir() {
 			err = os.Mkdir(filePath, fi.Mode())
 			if err != nil {
@@ -397,6 +401,10 @@ func (xtrk *extractor) unzip(fin *os.File) (err error) {
 		fi = zipFile.FileInfo()
 		filePath = filepath.Join(xtrk.dirOutput, zipFile.Name)
 
+		if !strings.HasPrefix(filePath, xtrk.dirOutput) {
+			return fmt.Errorf(`%s: extract path outside of output directory`, logp)
+		}
+
 		if fi.IsDir() {
 			err = os.Mkdir(filePath, fi.Mode())
 			if err != nil {
author	Shulhan <ms@kilabit.info>	2023-07-23 15:44:13 +0700
committer	Shulhan <ms@kilabit.info>	2023-07-23 15:44:13 +0700
commit	3e4da8e2369d37c91249d5a53cf8be94490c7cf2 (patch)
tree	577fc4348c0b27c74894b5eb83f58c37cec43d29
parent	482ba1feeb80112c82a2ec22bde67cb27f2a8f41 (diff)
download	pakakeh.go-3e4da8e2369d37c91249d5a53cf8be94490c7cf2.tar.xz