From 016584d48f8bbbf455143a55b6bb19d89f4dc267 Mon Sep 17 00:00:00 2001
From: Peter Nemere <peter.nemere@qut.edu.au>
Date: Fri, 15 Nov 2024 11:31:30 +1000
Subject: [PATCH] Fixing warning from CodeQL saying if uploaded scan zip has ..
 in a path it may reference outside zip directory

---
 api/ws/handlers/scan.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/api/ws/handlers/scan.go b/api/ws/handlers/scan.go
index e819767c..ae204ad5 100644
--- a/api/ws/handlers/scan.go
+++ b/api/ws/handlers/scan.go
@@ -510,6 +510,10 @@ func processEM(importId string, zipReader *zip.Reader, zippedData []byte, destBu
 	sdf_raw_zipPath := ""
 
 	for _, f := range zipReader.File {
+		if strings.Contains(f.Name, "..") {
+			return fmt.Errorf("Found invalid path in zip that references ..: %v", f.Name)
+		}
+
 		if !f.FileInfo().IsDir() {
 			// Add to list of files we're interested in
 			if strings.HasSuffix(f.Name, "sdf_raw.txt") {