1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
package forms
import (
"archive/zip"
"fmt"
"io"
"os"
"path/filepath"
"strings"
)
func unzip(srcArchivePath, dstRoot string) error {
// Closure to address file descriptors issue with all the deferred .Close() methods
extractAndWriteFile := func(zf *zip.File) error {
if zf.FileInfo().IsDir() {
return nil
}
destPath := filepath.Join(dstRoot, zf.Name)
// Check for ZipSlip (Directory traversal)
if !strings.HasPrefix(destPath, filepath.Clean(dstRoot)+string(os.PathSeparator)) {
return fmt.Errorf("illegal file path: %s", destPath)
}
// Ensure target directory exists
if err := os.MkdirAll(filepath.Dir(destPath), 0o755); err != nil {
return fmt.Errorf("can't create target directory: %w", err)
}
// Write file
src, err := zf.Open()
if err != nil {
return err
}
defer src.Close()
dst, err := os.OpenFile(destPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, zf.Mode())
if err != nil {
return err
}
defer dst.Close()
_, err = io.Copy(dst, src)
return err
}
r, err := zip.OpenReader(srcArchivePath)
if err != nil {
return err
}
defer r.Close()
for _, f := range r.File {
if err := extractAndWriteFile(f); err != nil {
return err
}
}
return r.Close()
}
|
