54 lines
1.4 KiB
Plaintext
54 lines
1.4 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
using System.Collections.Generic;
|
|
using System.IO;
|
|
using System.IO.Compression;
|
|
|
|
namespace ZipSlip
|
|
{
|
|
public class ZipSlipNoncompliant
|
|
{
|
|
public void ExtractEntry(IEnumerator<ZipArchiveEntry> entriesEnumerator, string destinationDirectory)
|
|
{
|
|
var entry = entriesEnumerator.Current;
|
|
var destinationPath = Path.Combine(destinationDirectory, entry.FullName);
|
|
entry.ExtractToFile(destinationPath); // Noncompliant
|
|
}
|
|
}
|
|
}
|
|
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
using System.Collections.Generic;
|
|
using System.IO;
|
|
using System.IO.Compression;
|
|
|
|
namespace ZipSlip
|
|
{
|
|
public class ZipSlipCompliant
|
|
{
|
|
public void ExtractEntry(IEnumerator<ZipArchiveEntry> entriesEnumerator, string destinationDirectory)
|
|
{
|
|
var entry = entriesEnumerator.Current;
|
|
var destinationDirectoryFullPath = Path.GetFullPath(destinationDirectory);
|
|
var destinationPath = Path.Combine(destinationDirectoryFullPath, entry.FullName);
|
|
var destinationFullPath = Path.GetFullPath(destinationPath);
|
|
if (!destinationFullPath.StartsWith(destinationDirectoryFullPath))
|
|
{
|
|
throw new IOException("Attempting to extract archive entry outside destination directory");
|
|
}
|
|
entry.ExtractToFile(destinationFullPath); // OK
|
|
}
|
|
}
|
|
}
|
|
|
|
----
|
|
|
|
include::../see.adoc[]
|