migrations icon indicating copy to clipboard operation
migrations copied to clipboard

Published 20 hours ago verified publisher icon mybatis

Potential fix for code scanning alert no. 1: Arbitrary file access during archive extraction ("Zip Slip")

Open hazendaz opened this issue 7 months ago • 1 comments

Potential fix for https://github.com/mybatis/migrations/security/code-scanning/1

To fix the issue, we need to validate the entry.getName() value to ensure it does not contain directory traversal sequences (../) or absolute paths. This can be achieved by normalizing the constructed path and verifying that it remains within the intended base directory. Specifically:

  1. Use java.nio.file.Path to construct and normalize the path.
  2. Check that the normalized path starts with the intended base directory.
  3. If the validation fails, skip the entry or throw an exception.

The fix will be applied in the listResources method (or equivalent logic) where entry.getName() is processed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

hazendaz avatar Apr 28 '25 16:04 hazendaz