From 54a938f02aad7266b5803d4e0ae27ca9c2a3ce3b Mon Sep 17 00:00:00 2001
From: Yahor Yuzefovich <yahor@cockroachlabs.com>
Date: Tue, 10 Sep 2019 14:55:06 -0700
Subject: [PATCH] workload: fix a security vulnerability in querylog tool

A member of the community noticed that the way querylog unzips the
zip file was susceptible to ZipSlip vulnerability. Now this is fixed.

Release justification: Category 1: Non-production code changes.

Release note: None
---
 pkg/workload/querylog/querylog.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/workload/querylog/querylog.go b/pkg/workload/querylog/querylog.go
index a112308c8181..c7628aa9972d 100644
--- a/pkg/workload/querylog/querylog.go
+++ b/pkg/workload/querylog/querylog.go
@@ -542,6 +542,12 @@ func unzip(src, dest string) error {
 		}()
 
 		path := filepath.Join(dest, f.Name)
+		// Check for ZipSlip. More Info: http://bit.ly/2MsjAWE
+		if !strings.HasPrefix(path, filepath.Clean(dest)+string(os.PathSeparator)) {
+			return errors.Errorf("%s: illegal file path while extracting the zip. "+
+				"Such a file path can be dangerous because of ZipSlip vulnerability. "+
+				"Please reconsider whether the zip file is trustworthy.", path)
+		}
 
 		if f.FileInfo().IsDir() {
 			if err = os.MkdirAll(path, f.Mode()); err != nil {