fix: optimized archive extraction path traversal checks

cyberchen1995 · cyberchen1995 · commit 453c6698b7f1 · 2026-03-19T15:48:25.000+08:00
diff --git a/example/go.mod b/example/go.mod
@@ -1,6 +1,6 @@
 module opensca-example
 
-go 1.20
+go 1.25
 
 require github.com/xmirrorsecurity/opensca-cli/v3 v3.0.2
 
diff --git a/opensca/walk/rar.go b/opensca/walk/rar.go
@@ -5,7 +5,6 @@ import (
 	"io"
 	"os"
 	"path/filepath"
-	"strings"
 
 	"github.com/xmirrorsecurity/opensca-cli/v3/opensca/logs"
 
@@ -42,15 +41,14 @@ func xrar(ctx context.Context, filter ExtractFileFilter, input, output string) b
 			break
 		}
 
-		fp := filepath.Join(output, fh.Name)
-		if fh.IsDir {
-			os.MkdirAll(fp, 0755)
+		fp, err := resolveExtractPath(output, fh.Name)
+		if err != nil {
+			logs.Warn(err)
 			continue
 		}
 
-		// avoid path traversal
-		if !strings.HasPrefix(fp, filepath.Clean(output)+string(os.PathSeparator)) {
-			logs.Warn("Invalid file path: %s", fp)
+		if fh.IsDir {
+			os.MkdirAll(fp, 0755)
 			continue
 		}
 
diff --git a/opensca/walk/tar.go b/opensca/walk/tar.go
@@ -44,11 +44,9 @@ func xtar(ctx context.Context, filter ExtractFileFilter, input, output string) b
 			break
 		}
 
-		fp := filepath.Join(output, fh.Name)
-
-		// avoid zip slip
-		if !strings.HasPrefix(fp, filepath.Clean(output)+string(os.PathSeparator)) {
-			logs.Warn("Invalid file path: %s", fp)
+		fp, err := resolveExtractPath(output, fh.Name)
+		if err != nil {
+			logs.Warn(err)
 			continue
 		}
 
diff --git a/opensca/walk/zip.go b/opensca/walk/zip.go
@@ -7,7 +7,6 @@ import (
 	"io"
 	"os"
 	"path/filepath"
-	"strings"
 
 	"github.com/xmirrorsecurity/opensca-cli/v3/opensca/common"
 	"github.com/xmirrorsecurity/opensca-cli/v3/opensca/logs"
@@ -40,17 +39,17 @@ func xzip(ctx context.Context, filter ExtractFileFilter, input, output string) b
 			continue
 		}
 
-		fp := filepath.Join(output, f.Name)
+		entryName := f.Name
 
 		if f.Flags == 0 {
 			gbk := mahonia.NewDecoder("gbk").ConvertString(f.Name)
 			_, cdata, _ := mahonia.NewDecoder("utf-8").Translate([]byte(gbk), true)
-			fp = filepath.Join(output, string(cdata))
+			entryName = string(cdata)
 		}
 
-		// avoid zip slip
-		if !strings.HasPrefix(fp, filepath.Clean(output)+string(os.PathSeparator)) {
-			logs.Warn("Invalid file path: %s", fp)
+		fp, err := resolveExtractPath(output, entryName)
+		if err != nil {
+			logs.Warn(err)
 			continue
 		}
 

-Original file line number
+Diff line change
@@ @@ -1,6 +1,6 @@ @@
 module opensca-example
 -go 1.20
 +go 1.25
 require github.com/xmirrorsecurity/opensca-cli/v3 v3.0.2
Original file line number	Diff line number	Diff line change
`@@ -44,11 +44,9 @@ func xtar(ctx context.Context, filter ExtractFileFilter, input, output string) b`
`44`	`44`	`break`
`45`	`45`	`}`
`46`	`46`
`47`		`- fp := filepath.Join(output, fh.Name)`
`48`		`-`
`49`		`- // avoid zip slip`
`50`		`- if !strings.HasPrefix(fp, filepath.Clean(output)+string(os.PathSeparator)) {`
`51`		`- logs.Warn("Invalid file path: %s", fp)`
	`47`	`+ fp, err := resolveExtractPath(output, fh.Name)`
	`48`	`+ if err != nil {`
	`49`	`+ logs.Warn(err)`
`52`	`50`	`continue`
`53`	`51`	`}`
`54`	`52`