Skip to content

Commit

Permalink
Merge #40656
Browse files Browse the repository at this point in the history
40656: workload: fix a security vulnerability in querylog tool r=yuzefovich a=yuzefovich

A member of the community noticed that the way querylog unzips the
zip file was susceptible to ZipSlip vulnerability. Now this is fixed.

Fixes: #40631.

Release justification: Category 1: Non-production code changes.

Release note: None

Co-authored-by: Yahor Yuzefovich <[email protected]>
  • Loading branch information
craig[bot] and yuzefovich committed Sep 13, 2019
2 parents 7a2e9a8 + 54a938f commit e5e61df
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions pkg/workload/querylog/querylog.go
Original file line number Diff line number Diff line change
Expand Up @@ -542,6 +542,12 @@ func unzip(src, dest string) error {
}()

path := filepath.Join(dest, f.Name)
// Check for ZipSlip. More Info: http://bit.ly/2MsjAWE
if !strings.HasPrefix(path, filepath.Clean(dest)+string(os.PathSeparator)) {
return errors.Errorf("%s: illegal file path while extracting the zip. "+
"Such a file path can be dangerous because of ZipSlip vulnerability. "+
"Please reconsider whether the zip file is trustworthy.", path)
}

if f.FileInfo().IsDir() {
if err = os.MkdirAll(path, f.Mode()); err != nil {
Expand Down

0 comments on commit e5e61df

Please sign in to comment.