Commit 1b51d20
fix: sanitize ZIP entry names to prevent path traversal
CreateZip used the caller-supplied file name verbatim as the ZIP entry
name, allowing traversal sequences (e.g. "../../") to be embedded in
produced archives. Sanitize each name with Path.GetFileName so only the
bare file component is stored, and throw ArgumentException when the name
has no valid file component.
Refs GHSA-mr97-hxhp-w3gg (#40)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>1 parent 73c2e43 commit 1b51d20
2 files changed
Lines changed: 37 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
15 | | - | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
16 | 26 | | |
17 | 27 | | |
18 | 28 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
47 | | - | |
| 47 | + | |
| 48 | + | |
48 | 49 | | |
49 | 50 | | |
50 | 51 | | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
51 | 76 | | |
52 | 77 | | |
53 | 78 | | |
| |||
0 commit comments