From 43b93de38ca818cae57122ac040144c80cfc3a7b Mon Sep 17 00:00:00 2001
From: Tomas <tomas.publicbox@gmail.com>
Date: Sun, 3 Nov 2024 12:19:26 +0000
Subject: [PATCH] Fix code scanning alert no. 9: Arbitrary file access during
 archive extraction ("Zip Slip")

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 app/main/backup.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/main/backup.js b/app/main/backup.js
index 008ed75..c445f09 100644
--- a/app/main/backup.js
+++ b/app/main/backup.js
@@ -258,8 +258,12 @@ export const loadBackup = async (mainWindow, backupOptions) => {
                 // Write CT
                 await Promise.all(files.map(async (file) => {
                     if (/controlledTerminology\/.+/.test(file)) {
-                        let contents = await zip.file(file).async('nodebuffer');
-                        await writeFile(path.join(pathToCT, file.replace('controlledTerminology/', '')), contents);
+                        if (file.indexOf('..') === -1) {
+                            let contents = await zip.file(file).async('nodebuffer');
+                            await writeFile(path.join(pathToCT, file.replace('controlledTerminology/', '')), contents);
+                        } else {
+                            console.log('skipping bad path', file);
+                        }
                     }
                 }));
             }