latest commit

pmadusud · pmadusud · commit 5b48101d3642 · 2024-10-30T13:39:43.000Z
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 
 .DS_Store
+ src/Application/src/RazorPagesTestSample/config.json
diff --git a/src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs b/src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs
@@ -92,9 +92,13 @@ public async Task<IActionResult> OnPostAnalyzeMessagesAsync()
             return RedirectToPage();
         }
 
-        public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)
+         public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)
         {
-            string destFileName = Path.Combine(destDirectory, entry.FullName);
+            string destFileName = Path.GetFullPath(Path.Combine(destDirectory, entry.FullName));
+            string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);
+            if (!destFileName.StartsWith(fullDestDirPath)) {
+                throw new System.InvalidOperationException("Entry is outside the target dir: " + destFileName);
+            }
             entry.ExtractToFile(destFileName);
         }
     }
diff --git a/src/Application/src/RazorPagesTestSample/config.json b/src/Application/src/RazorPagesTestSample/config.json

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`
`2`	`2`	`.DS_Store`
	`3`	`+ src/Application/src/RazorPagesTestSample/config.json`
Original file line number	Diff line number	Diff line change
`@@ -92,9 +92,13 @@ public async Task<IActionResult> OnPostAnalyzeMessagesAsync()`
`92`	`92`	`return RedirectToPage();`
`93`	`93`	`}`
`94`	`94`
`95`		`- public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)`
	`95`	`+ public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)`
`96`	`96`	`{`
`97`		`- string destFileName = Path.Combine(destDirectory, entry.FullName);`
	`97`	`+ string destFileName = Path.GetFullPath(Path.Combine(destDirectory, entry.FullName));`
	`98`	`+ string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);`
	`99`	`+ if (!destFileName.StartsWith(fullDestDirPath)) {`
	`100`	`+ throw new System.InvalidOperationException("Entry is outside the target dir: " + destFileName);`
	`101`	`+ }`
`98`	`102`	`entry.ExtractToFile(destFileName);`
`99`	`103`	`}`
`100`	`104`	`}`