Fixing zip extraction logic (#3875)

soninaren · web-flow · commit 3e421ca6c547 · 2024-12-04T11:21:53.000-08:00
diff --git a/build/FileHelpers.cs b/build/FileHelpers.cs
@@ -119,7 +119,15 @@ public static void ExtractZipFileForce(string zipFile, string to)
             {
                 foreach (ZipArchiveEntry file in archive.Entries)
                 {
-                    file.ExtractToFile(Path.Combine(to, file.FullName), overwrite: true);
+                    string destFileName = Path.GetFullPath(Path.Combine(to, file.FullName));
+                    string fullDestDirPath = Path.GetFullPath(to + Path.DirectorySeparatorChar);
+
+                    if (!destFileName.StartsWith(fullDestDirPath))
+                    {
+                        throw new System.InvalidOperationException("Entry is outside the target dir: " + destFileName);
+                    }
+
+                    file.ExtractToFile(destFileName, overwrite: true);
                 }
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,15 @@ public static void ExtractZipFileForce(string zipFile, string to)`
`119`	`119`	`{`
`120`	`120`	`foreach (ZipArchiveEntry file in archive.Entries)`
`121`	`121`	`{`
`122`		`- file.ExtractToFile(Path.Combine(to, file.FullName), overwrite: true);`
	`122`	`+ string destFileName = Path.GetFullPath(Path.Combine(to, file.FullName));`
	`123`	`+ string fullDestDirPath = Path.GetFullPath(to + Path.DirectorySeparatorChar);`
	`124`	`+`
	`125`	`+ if (!destFileName.StartsWith(fullDestDirPath))`
	`126`	`+ {`
	`127`	`+ throw new System.InvalidOperationException("Entry is outside the target dir: " + destFileName);`
	`128`	`+ }`
	`129`	`+`
	`130`	`+ file.ExtractToFile(destFileName, overwrite: true);`
`123`	`131`	`}`
`124`	`132`	`}`
`125`	`133`	`}`