chore: stricter path checking when unpacking zip/tgz

2026-02-26 16:57:08 +00:00 · 2025-05-20 00:00:07 +08:00
parent ed42c4feb8
commit a93479124c
1 changed files with 11 additions and 2 deletions
--- a/component/updater/update_ui.go
+++ b/component/updater/update_ui.go
@@ -221,7 +221,7 @@ func unzip(src, dest string) (string, error) {
 			fpath = filepath.Join(extractedFolder, f.Name)
 		}

-		if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
+		if !inDest(fpath, dest) {
 			return "", fmt.Errorf("invalid file path: %s", fpath)
 		}
 		info := f.FileInfo()
@@ -344,7 +344,7 @@ func untgz(src, dest string) (string, error) {
 			fpath = filepath.Join(extractedFolder, cleanTarPath(header.Name))
 		}

-		if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
+		if !inDest(fpath, dest) {
 			return "", fmt.Errorf("invalid file path: %s", fpath)
 		}

@@ -421,3 +421,12 @@ func cleanup(root string) error {
 		return nil
 	})
 }
+
+func inDest(fpath, dest string) bool {
+	if rel, err := filepath.Rel(dest, fpath); err == nil {
+		if filepath.IsLocal(rel) {
+			return true
+		}
+	}
+	return false
+}