Merge pull request #13 from marcelloraffaele/alert-autofix-2

Fix code scanning alert no. 2: Arbitrary file access during archive extraction ("Zip Slip")

Author: marcelloraffaele

src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs

@@ -94,12 +94,13 @@ public async Task<IActionResult> OnPostAnalyzeMessagesAsync()
 
         public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)
         {
-            string destFileName = Path.Combine(destDirectory, entry.FullName);
+            string destFileName = Path.GetFullPath(Path.Combine(destDirectory, entry.FullName));
+            string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);
 
             // Ensure the destination file is within the destination directory
-            if (!Path.GetFullPath(destFileName).StartsWith(Path.GetFullPath(destDirectory), StringComparison.Ordinal))
+            if (!destFileName.StartsWith(fullDestDirPath, StringComparison.Ordinal))
             {
-            throw new InvalidOperationException("Entry is trying to write outside of the destination directory.");
+                throw new InvalidOperationException("Entry is trying to write outside of the destination directory.");
             }
 
             entry.ExtractToFile(destFileName);