Whaler icon indicating copy to clipboard operation
Whaler copied to clipboard
verified publisher icon P3GLEG

Potential fix for code scanning alert no. 2: Arbitrary file access during archive extraction ("Zip Slip")

Open P3GLEG opened this issue 3 months ago • 0 comments

Potential fix for https://github.com/P3GLEG/Whaler/security/code-scanning/2

To fix this issue, you need to ensure that the path constructed from each tar entry name (name) does not contain any directory traversal elements (..) or absolute paths that would allow extraction outside of the target directory. The best solution is to:

  1. Check, for each entry name, that it does NOT contain any .. elements, absolute paths, or any path separators that could navigate outside the destination directory.
  2. Use filepath.Clean, then verify the resulting path starts with the extraction directory (i.e., the joined directory path for the layer).
  3. Skip file system operations for entries that fail this check.

In main.go, you need to:

  • Add a utility function to validate (sanitize) the tar entry name.
  • Use this function before calling os.MkdirAll (directory creation) and os.WriteFile (file extraction), to ensure only safe paths are used.
  • Optionally, log or otherwise handle any skipped/suspicious entries.

You do NOT need new external dependencies—just Go's standard library.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

P3GLEG avatar Sep 17 '25 03:09 P3GLEG