From 5bd89305250fe561c4db9cc1ecb166aa0b6d12f6 Mon Sep 17 00:00:00 2001 From: alerickson <25858831+alerickson@users.noreply.github.com> Date: Mon, 23 Oct 2023 17:00:32 -0700 Subject: [PATCH] Sanitize archive entry file name --- src/code/InstallHelper.cs | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/code/InstallHelper.cs b/src/code/InstallHelper.cs index 028f28334..736267417 100644 --- a/src/code/InstallHelper.cs +++ b/src/code/InstallHelper.cs @@ -1175,13 +1175,19 @@ private bool TryExtractToDirectory(string zipPath, string extractPath, out Error { foreach (ZipArchiveEntry entry in archive.Entries) { + // Sanitize the filename to remove any potentially harmful characters + string sanitizedFileName = Path.GetFileName(entry.FullName); + + // Create a new entry in the archive + ZipArchiveEntry sanitizedEntry = archive.CreateEntry(sanitizedFileName); + // If a file has one or more parent directories. - if (entry.FullName.Contains(Path.DirectorySeparatorChar) || entry.FullName.Contains(Path.AltDirectorySeparatorChar)) + if (sanitizedEntry.FullName.Contains(Path.DirectorySeparatorChar) || sanitizedEntry.FullName.Contains(Path.AltDirectorySeparatorChar)) { // Create the parent directories if they do not already exist var lastPathSeparatorIdx = entry.FullName.Contains(Path.DirectorySeparatorChar) ? - entry.FullName.LastIndexOf(Path.DirectorySeparatorChar) : entry.FullName.LastIndexOf(Path.AltDirectorySeparatorChar); - var parentDirs = entry.FullName.Substring(0, lastPathSeparatorIdx); + sanitizedEntry.FullName.LastIndexOf(Path.DirectorySeparatorChar) : sanitizedEntry.FullName.LastIndexOf(Path.AltDirectorySeparatorChar); + var parentDirs = sanitizedEntry.FullName.Substring(0, lastPathSeparatorIdx); var destinationDirectory = Path.Combine(extractPath, parentDirs); if (!Directory.Exists(destinationDirectory)) { @@ -1190,9 +1196,9 @@ private bool TryExtractToDirectory(string zipPath, string extractPath, out Error } // Gets the full path to ensure that relative segments are removed. - string destinationPath = Path.GetFullPath(Path.Combine(extractPath, entry.FullName)); + string destinationPath = Path.GetFullPath(Path.Combine(extractPath, sanitizedEntry.FullName)); - entry.ExtractToFile(destinationPath, overwrite:true); + sanitizedEntry.ExtractToFile(destinationPath, overwrite:true); } } }