From 24a9263ba58b69d07eb1b6f85337effb7d8f5572 Mon Sep 17 00:00:00 2001
From: Shawn McGough <shawn.mcgough@gmail.com>
Date: Tue, 22 Oct 2024 15:41:54 -0400
Subject: [PATCH] #4 #5

---
 .gitignore                                          |  2 ++
 .../src/RazorPagesTestSample/Pages/Index.cshtml.cs  | 13 +++++++++----
 .../RazorPagesTestSample.Tests.csproj               |  2 +-
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/.gitignore b/.gitignore
index 9bea4330..cdb05285 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 
 .DS_Store
+# Local configuration file for developers
+src/Application/src/RazorPagesTestSample/config.json
diff --git a/src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs b/src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs
index 2e6d94bb..250af7cd 100644
--- a/src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs
+++ b/src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs
@@ -92,10 +92,15 @@ public async Task<IActionResult> OnPostAnalyzeMessagesAsync()
             return RedirectToPage();
         }
 
-        public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)
-        {
-            string destFileName = Path.Combine(destDirectory, entry.FullName);
-            entry.ExtractToFile(destFileName);
+    public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)
+    {
+        string destFileName = Path.GetFullPath(Path.Combine(destDirectory, entry.FullName));
+        string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);
+        if (!destFileName.StartsWith(fullDestDirPath)) {
+            throw new System.InvalidOperationException("Entry is outside the target dir: " + destFileName);
         }
+        entry.ExtractToFile(destFileName);
+    }
+
     }
 }
diff --git a/src/Application/tests/RazorPagesTestSample.Tests/RazorPagesTestSample.Tests.csproj b/src/Application/tests/RazorPagesTestSample.Tests/RazorPagesTestSample.Tests.csproj
index a66e0a92..a0f5f511 100644
--- a/src/Application/tests/RazorPagesTestSample.Tests/RazorPagesTestSample.Tests.csproj
+++ b/src/Application/tests/RazorPagesTestSample.Tests/RazorPagesTestSample.Tests.csproj
@@ -13,7 +13,7 @@
     <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="8.0.3" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
     <PackageReference Include="Moq" Version="4.20.70" />
-    <PackageReference Include="Newtonsoft.Json" Version="11.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="System.Diagnostics.TraceSource" Version="4.3.0" />
     <PackageReference Include="System.Net.Http" Version="4.3.4" />
     <PackageReference Include="xunit" Version="2.7.0" />