fix(util): safe unzip (#3931)

ngjaying · github-advanced-security[bot] · ngjaying · commit 993ec6a7abc5 · 2025-11-21T15:53:25.000+08:00
Signed-off-by: Jiyong Huang &lt;huangjy@emqx.io&gt;
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/internal/plugin/native/manager.go b/internal/plugin/native/manager.go
@@ -48,6 +48,32 @@ import (
 	"github.com/lf-edge/ekuiper/v2/pkg/kv"
 )
 
+// isSafeArchiveEntry checks if the entry name is safe for extraction
+func isSafeArchiveEntry(name string) bool {
+	// Disallow absolute paths
+	if strings.HasPrefix(name, "/") || strings.HasPrefix(name, "\\") {
+		return false
+	}
+	// Disallow parent traversal
+	parts := strings.Split(name, "/")
+	for _, p := range parts {
+		if p == ".." {
+			return false
+		}
+	}
+	parts = strings.Split(name, "\\")
+	for _, p := range parts {
+		if p == ".." {
+			return false
+		}
+	}
+	// Prevent special device files (on Windows)
+	if strings.HasPrefix(name, "CON") || strings.HasPrefix(name, "PRN") || strings.HasPrefix(name, "AUX") || strings.HasPrefix(name, "NUL") {
+		return false
+	}
+	return true
+}
+
 // Manager Initialized in the binder
 var (
 	manager *Manager
@@ -538,6 +564,11 @@ func (rr *Manager) install(t plugin2.PluginType, name, src string, shellParas []
 	for _, file := range r.File {
 		zipFiles = append(zipFiles, file.Name)
 		fileName := file.Name
+		// Prevent Zip Slip: only allow safe archive entries
+		if !isSafeArchiveEntry(fileName) {
+			conf.Log.Errorf("Refuse to extract potentially unsafe archive entry: %s", fileName)
+			continue
+		}
 		switch {
 		case yamlFile == fileName:
 			yamlFileChecked = true
