@@ -58,9 +58,13 @@ def extract_zip(file_path: str, extract_to: str) -> None:
5858
5959 # Security: Check for path traversal in zip entries
6060 for member in zip_ref .namelist ():
61- # Check for explicit path traversal attempts first
62- if ".." in member or member .startswith ("/" ):
61+ # Check for explicit path traversal attempts (../ or ..\ patterns)
62+ # Allow filenames containing ".." as a substring (e.g., "file..name.txt")
63+ if "../" in member or "..\\ " in member or member .startswith ("../" ) or member .startswith ("..\\ " ):
6364 raise ValueError (f"Invalid path in zip file: { member } )
65+ # Check for absolute paths
66+ if member .startswith ("/" ) or (os .name == "nt" and len (member ) > 1 and member [1 ] == ":" ):
67+ raise ValueError (f"Invalid absolute path in zip file: { member } )
6468
6569 # Normalize the member path (remove leading slashes and normalize)
6670 member_normalized = os .path .normpath (member .lstrip ("/" ))
@@ -98,9 +102,13 @@ def extract_tar(file_path: str, extract_to: str) -> None:
98102
99103 # Security: Check for path traversal in tar entries
100104 for member in tar_ref .getmembers ():
101- # Check for explicit path traversal attempts first
102- if ".." in member .name or member .name .startswith ("/" ):
105+ # Check for explicit path traversal attempts (../ or ..\ patterns)
106+ # Allow filenames containing ".." as a substring (e.g., "file..name.txt")
107+ if "../" in member .name or "..\\ " in member .name or member .name .startswith ("../" ) or member .name .startswith ("..\\ " ):
103108 raise ValueError (f"Invalid path in tar file: { member .name } )
109+ # Check for absolute paths
110+ if member .name .startswith ("/" ) or (os .name == "nt" and len (member .name ) > 1 and member .name [1 ] == ":" ):
111+ raise ValueError (f"Invalid absolute path in tar file: { member .name } )
104112
105113 # Normalize the member path (remove leading slashes and normalize)
106114 member_normalized = os .path .normpath (member .name .lstrip ("/" ))
0 commit comments