Fix code scanning alert no. 9: Arbitrary file access during archive e…

…xtraction ("Zip Slip") Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
tomhub · Nov 3, 2024 · 43b93de · 43b93de
1 parent e215f49
commit 43b93de
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/app/main/backup.js b/app/main/backup.js
@@ -258,8 +258,12 @@ export const loadBackup = async (mainWindow, backupOptions) => {
                 // Write CT
                 await Promise.all(files.map(async (file) => {
                     if (/controlledTerminology\/.+/.test(file)) {
-                        let contents = await zip.file(file).async('nodebuffer');
-                        await writeFile(path.join(pathToCT, file.replace('controlledTerminology/', '')), contents);
+                        if (file.indexOf('..') === -1) {
+                            let contents = await zip.file(file).async('nodebuffer');
+                            await writeFile(path.join(pathToCT, file.replace('controlledTerminology/', '')), contents);
+                        } else {
+                            console.log('skipping bad path', file);
+                        }
                     }
                 }));
             }