Fix code scanning alert no. 2: Arbitrary file access during archive extraction ("Zip Slip")

marcelloraffaele · github-advanced-security[bot] · web-flow · commit 67ce996dc849 · 2024-10-30T13:36:00.000+01:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs b/src/Application/src/RazorPagesTestSample/Pages/Index.cshtml.cs
@@ -94,12 +94,13 @@ public async Task<IActionResult> OnPostAnalyzeMessagesAsync()
 
         public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)
         {
-            string destFileName = Path.Combine(destDirectory, entry.FullName);
+            string destFileName = Path.GetFullPath(Path.Combine(destDirectory, entry.FullName));
+            string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);
 
             // Ensure the destination file is within the destination directory
-            if (!Path.GetFullPath(destFileName).StartsWith(Path.GetFullPath(destDirectory), StringComparison.Ordinal))
+            if (!destFileName.StartsWith(fullDestDirPath, StringComparison.Ordinal))
             {
-            throw new InvalidOperationException("Entry is trying to write outside of the destination directory.");
+                throw new InvalidOperationException("Entry is trying to write outside of the destination directory.");
             }
 
             entry.ExtractToFile(destFileName);

Original file line number	Diff line number	Diff line change
`@@ -94,12 +94,13 @@ public async Task<IActionResult> OnPostAnalyzeMessagesAsync()`
`94`	`94`
`95`	`95`	`public static void WriteToDirectory(ZipArchiveEntry entry, string destDirectory)`
`96`	`96`	`{`
`97`		`- string destFileName = Path.Combine(destDirectory, entry.FullName);`
	`97`	`+ string destFileName = Path.GetFullPath(Path.Combine(destDirectory, entry.FullName));`
	`98`	`+ string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);`
`98`	`99`
`99`	`100`	`// Ensure the destination file is within the destination directory`
`100`		`- if (!Path.GetFullPath(destFileName).StartsWith(Path.GetFullPath(destDirectory), StringComparison.Ordinal))`
	`101`	`+ if (!destFileName.StartsWith(fullDestDirPath, StringComparison.Ordinal))`
`101`	`102`	`{`
`102`		`- throw new InvalidOperationException("Entry is trying to write outside of the destination directory.");`
	`103`	`+ throw new InvalidOperationException("Entry is trying to write outside of the destination directory.");`
`103`	`104`	`}`
`104`	`105`
`105`	`106`	`entry.ExtractToFile(destFileName);`