toolbox: fix codeql go/zipslip

tenthirtyam · tenthirtyam · commit 69643bd7f89b · 2025-03-17T09:38:36.000-04:00
Updates the `archiveRead` function in the `toolbox/hgfs/archive.go` file. The change adds validation to prevent directory traversal attacks.

Signed-off-by: Ryan Johnson &lt;ryan.johnson@broadcom.com&gt;
diff --git a/toolbox/hgfs/archive.go b/toolbox/hgfs/archive.go
@@ -238,6 +238,12 @@ func archiveRead(u *url.URL, tr *tar.Reader) error {
 			return err
 		}
 
+		// validate to prevent directory traversal
+		if strings.Contains(header.Name, "..") {
+			log.Printf("skipping invalid entry with '..' in name: %s", header.Name)
+			continue
+		}
+
 		name := filepath.Join(u.Path, header.Name)
 		mode := os.FileMode(header.Mode)
 
