From 9f653a2ce6530d2ed2bb31c1a1500fa9b003074a Mon Sep 17 00:00:00 2001
From: Corey Butler <770982+coreybutler@users.noreply.github.com>
Date: Fri, 3 Jan 2025 21:25:16 -0600
Subject: [PATCH] Fix code scanning alert no. 2: Arbitrary file access during
 archive extraction ("Zip Slip")

Prevent zip extraction from processing arbitrary files.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/upgrade/upgrade.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/upgrade/upgrade.go b/src/upgrade/upgrade.go
index 32f2d365..8837a47e 100644
--- a/src/upgrade/upgrade.go
+++ b/src/upgrade/upgrade.go
@@ -845,6 +845,11 @@ func unzip(src string, dest string) error {
 		// Build the path for each file in the destination directory
 		fpath := filepath.Join(dest, f.Name)
 
+		// Validate the file path to prevent directory traversal
+		if strings.Contains(f.Name, "..") {
+			return fmt.Errorf("invalid file path: %s", f.Name)
+		}
+
 		// Check if the file is a directory
 		if f.FileInfo().IsDir() {
 			// Create directory if it doesn't exist