SECURITY: Prevent arbitrary file write when decompressing files (#18421)

* SECURITY: Prevent arbitrary file write when decompressing files * FIX: Allow decompressing files into symlinked directories Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com> Co-authored-by: Gerhard Schlager <gerhard.schlager@discourse.org>
2025-05-21 18:12:32 +08:00 · 2022-09-29 20:00:38 +02:00
parent ae1e536e83
commit b27d5626d2
9 changed files with 175 additions and 57 deletions
--- a/lib/compression/zip.rb
+++ b/lib/compression/zip.rb
@ -35,17 +35,12 @@ module Compression
      yield(zip_file)
    end

-    def build_entry_path(compressed_file, dest_path, compressed_file_path, entry, allow_non_root_folder)
-      folder_name = compressed_file_path.split('/').last.gsub('.zip', '')
-      root = root_folder_present?(compressed_file, allow_non_root_folder) ? '' : "#{folder_name}/"
-
-      File.join(dest_path, "#{root}#{entry.name}").tap do |entry_path|
-        FileUtils.mkdir_p(File.dirname(entry_path))
-      end
+    def build_entry_path(dest_path, entry, _)
+      File.join(dest_path, entry.name)
    end

-    def root_folder_present?(filenames, allow_non_root_folder)
-      filenames.map { |p| p.name.split('/').first }.uniq.size == 1 || allow_non_root_folder
+    def decompression_results_path(dest_path, _)
+      dest_path
    end

    def extract_file(entry, entry_path, available_size)