Update zipslip_bad.py

ahmed-farid-dev · web-flow · commit cafbd984548c · 2022-03-28T01:08:39.000Z
diff --git a/python/ql/src/experimental/Security/CWE-022/zipslip_bad.py b/python/ql/src/experimental/Security/CWE-022/zipslip_bad.py
@@ -2,13 +2,15 @@
 import shutil
 
 def unzip(filename):
-    with zipfile.ZipFile(filename) as zipf:
+    with tarfile.open(filename) as zipf:
     #BAD : This could write any file on the filesystem.
         for entry in zipf:
-            shutil.copy(entry, "/tmp/unpack/")
+            shutil.copyfile(entry, "/tmp/unpack/")
           
-def unzip1(filename):
-    with zipfile.ZipFile(filename) as zipf:
-        for entry in zipf:
-            with open(entry, 'wb') as dstfile:
-                shutil.copyfileobj(zipf, dstfile)
+def unzip4(filename):
+    zf = zipfile.ZipFile(filename)
+    filelist = zf.namelist()
+    for filename in filelist:
+        with zf.open(filename) as srcf:
+            shutil.copyfileobj(srcf, dstfile)
+
