From 1c05f17bce35c9060b0a608dfb6f774d07f2ace5 Mon Sep 17 00:00:00 2001
From: vimiix <i@vimiix.com>
Date: Wed, 12 Jun 2024 15:49:48 +0800
Subject: [PATCH] fix(utils): avoid zip slip vulnerability

---
 internal/utils/utils.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/internal/utils/utils.go b/internal/utils/utils.go
index a481713..6e8edeb 100644
--- a/internal/utils/utils.go
+++ b/internal/utils/utils.go
@@ -17,6 +17,7 @@ import (
 	"github.com/denisbrodbeck/machineid"
 	"github.com/pkg/errors"
 	"github.com/vimiix/ssx/internal/file"
+	"github.com/vimiix/ssx/internal/lg"
 	"github.com/vimiix/ssx/ssx/env"
 )
 
@@ -198,6 +199,11 @@ func Untar(tarPath string, targetDir string, filenames ...string) error {
 		case header == nil:
 			continue
 		}
+		if strings.Contains(header.Name, "..") {
+			// code scanning: https://github.com/vimiix/ssx/security/code-scanning/3
+			lg.Warn("ignore file %s due to zip slip vulnerability", header.Name)
+			continue
+		}
 
 		// the target location where the dir/file should be created
 		target := filepath.Join(targetDir, filepath.FromSlash(header.Name))