Fix code scanning alert no. 1: Arbitrary file access during archive extraction ("Zip Slip")

ahmedsza · github-advanced-security[bot] · web-flow · commit a0e46b89017f · 2024-10-30T14:16:32.000+02:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs b/src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs
@@ -94,7 +94,11 @@ public async Task<IActionResult> OnPostAnalyzeMessagesAsync()
 
         public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)
         {
-            string destFileName = Path.Combine(destDirectory, entry.FullName);
+            string destFileName = Path.GetFullPath(Path.Combine(destDirectory, entry.FullName));
+            string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);
+            if (!destFileName.StartsWith(fullDestDirPath)) {
+                throw new InvalidOperationException("Entry is outside the target dir: " + destFileName);
+            }
             entry.ExtractToFile(destFileName);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,11 @@ public async Task<IActionResult> OnPostAnalyzeMessagesAsync()`
`94`	`94`
`95`	`95`	`public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)`
`96`	`96`	`{`
`97`		`- string destFileName = Path.Combine(destDirectory, entry.FullName);`
	`97`	`+ string destFileName = Path.GetFullPath(Path.Combine(destDirectory, entry.FullName));`
	`98`	`+ string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);`
	`99`	`+ if (!destFileName.StartsWith(fullDestDirPath)) {`
	`100`	`+ throw new InvalidOperationException("Entry is outside the target dir: " + destFileName);`
	`101`	`+ }`
`98`	`102`	`entry.ExtractToFile(destFileName);`
`99`	`103`	`}`
`100`	`104`	`}`