Skip to content

Commit

Permalink
fix: improper limitation of a pathname
Browse files Browse the repository at this point in the history 
Signed-off-by: Valery Piashchynski <[email protected]>
  • Loading branch information
@rustatian
rustatian committed Jul 25, 2024
1 parent bba88ed commit 9a2bcf3
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions github/repo.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,10 @@ func (r *GHRepo) DownloadTemplate(tmp, version string) (string, error) { //nolin
}

outDir := rc.File[0].Name
if strings.Contains(outDir, "..") {
return "", errors.New("CWE-22, output dir from a zip file can't contain a '..' filesystem operation, more info: https://cwe.mitre.org/data/definitions/22.html")
}

for _, zf := range rc.File {
r.log.Debug("extracting repository", slog.String("file", zf.Name), slog.String("path", dest))
err = extract(dest, zf)
Expand Down

0 comments on commit 9a2bcf3

Please sign in to comment.