Headline
CVE-2023-27475: fix zipslip · gookit/goutil@d7b94fe
Goutil is a collection of miscellaneous functionality for the go language. In versions prior to 0.6.0 when users use fsutil.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. This vulnerability is known as a ZipSlip. This issue has been fixed in version 0.6.0, users are advised to upgrade. There are no known workarounds for this issue.
@@ -2,11 +2,13 @@ package fsutil
import (
“archive/zip”
“fmt”
“io”
“io/ioutil”
“os”
“path”
“path/filepath”
“strings”
)
// Mkdir alias of os.MkdirAll()
@@ -317,7 +319,13 @@ func Unzip(archive, targetDir string) (err error) {
}
for _, file := range reader.File {
if strings.Contains(file.Name, “…”) {
return fmt.Errorf("illegal file path in zip: %v", file.Name)
}
fullPath := filepath.Join(targetDir, file.Name)
if file.FileInfo().IsDir() {
err = os.MkdirAll(fullPath, file.Mode())
if err != nil {
Related news
### Impact ZipSlip issue when use fsutil package to unzip files. When users use fsutil.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. ### Patches It has been fixed in v0.6.0, Please upgrade version to v0.6.0 or above. ### Workarounds No, users have to upgrade version.