Fixing warning from CodeQL saying if uploaded scan zip has .. in a pa…

…th it may reference outside zip directory
pixlise · Nov 15, 2024 · 016584d · 016584d
1 parent 4f86d62
commit 016584d
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/api/ws/handlers/scan.go b/api/ws/handlers/scan.go
@@ -510,6 +510,10 @@ func processEM(importId string, zipReader *zip.Reader, zippedData []byte, destBu
 	sdf_raw_zipPath := ""
 
 	for _, f := range zipReader.File {
+		if strings.Contains(f.Name, "..") {
+			return fmt.Errorf("Found invalid path in zip that references ..: %v", f.Name)
+		}
+
 		if !f.FileInfo().IsDir() {
 			// Add to list of files we're interested in
 			if strings.HasSuffix(f.Name, "sdf_raw.txt") {