fix: arbitrary file access during archive extraction

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2025-02-07 15:44:53 +01:00
parent d3371d58bd
commit 2cfed99cf5
1 changed files with 24 additions and 1 deletions
--- a/fields/download.go
+++ b/fields/download.go
@@ -20,6 +20,24 @@ import (
 	"github.com/xor-gate/ar"
 )

+func sanitizeExtractedPath(filePath, destinationDir string) (string, error) {
+	absDestinationDir, err := filepath.Abs(destinationDir)
+	if err != nil {
+		return "", err
+	}
+
+	absFilePath, err := filepath.Abs(filepath.Join(destinationDir, filePath))
+	if err != nil {
+		return "", err
+	}
+
+	if !strings.HasPrefix(absFilePath, absDestinationDir) {
+		return "", fmt.Errorf("invalid file path: %s", filePath)
+	}
+
+	return absFilePath, nil
+}
+
 func DownloadAndExtract(downloadUrl url.URL, outputDir string) error {
 	targetInfo, err := os.Stat(outputDir)
 	if err != nil {
@@ -147,7 +165,12 @@ func extractJSON(jarFile, fieldsDir string) error {
 				return err
 			}

-			dst, err := os.Create(filepath.Join(fieldsDir, filepath.Base(f.Name)))
+			dstPath, err := sanitizeExtractedPath(f.Name, fieldsDir)
+			if err != nil {
+				return err
+			}
+
+			dst, err := os.Create(dstPath)
 			if err != nil {
 				return err
 			}