fix(security): zip slip (#1228)

* fix(security): Zip Slip * chore:remove repeat clean * fix: archives,iso9660 and rardecode module --------- Co-authored-by: ILoveScratch <ilovescratch@foxmail.com>
2025-09-20 04:36:09 +08:00 · 2025-09-15 13:25:21 +08:00
parent 61a8ed515f
commit c1d03c5bcc
7 changed files with 77 additions and 37 deletions
--- a/internal/archive/rardecode/rardecode.go
+++ b/internal/archive/rardecode/rardecode.go
@ -3,7 +3,7 @@ package rardecode
 import (
 	"io"
 	"os"
-	stdpath "path"
+	"path/filepath"
 	"strings"

 	"github.com/OpenListTeam/OpenList/v4/internal/archive/tool"
@ -93,7 +93,7 @@ func (RarDecoder) Decompress(ss []*stream.SeekableStream, outputPath string, arg
 		}
 	} else {
 		innerPath := strings.TrimPrefix(args.InnerPath, "/")
-		innerBase := stdpath.Base(innerPath)
+		innerBase := filepath.Base(innerPath)
 		createdBaseDir := false
 		for {
 			var header *rardecode.FileHeader
@ -115,7 +115,7 @@ func (RarDecoder) Decompress(ss []*stream.SeekableStream, outputPath string, arg
 				}
 				break
 			} else if strings.HasPrefix(name, innerPath+"/") {
-				targetPath := stdpath.Join(outputPath, innerBase)
+				targetPath := filepath.Join(outputPath, innerBase)
 				if !createdBaseDir {
 					err = os.Mkdir(targetPath, 0700)
 					if err != nil {