C#: ZipSlip - Address review comments.

- Add backticks - Add extra test.
2026-05-02 12:15:17 +02:00 · 2018-10-03 11:38:48 +01:00
parent f9227eeee5
commit 1a90f7df2c
2 changed files with 11 additions and 2 deletions
--- a/csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll
+++ b/csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll
@@ -112,7 +112,7 @@ module ZipSlip {
  }

  /**
-   * A call to Substring.
+   * A call to `Substring`.
   *
   * This is considered a sanitizer because `Substring` may be used to extract a single component
   * of a path to avoid ZipSlip.
--- a/Features/CWE-022/ZipSlip/ZipSlip.cs
+++ b/Features/CWE-022/ZipSlip/ZipSlip.cs
@@ -59,7 +59,7 @@ namespace ZipSlip
                    foreach (ZipArchiveEntry entry in archive.Entries)
                    {
                        // figure out where we are putting the file
-                        string destFilePath = Path.Combine(InstallDir, entry.FullName);
+                        String destFilePath = Path.Combine(InstallDir, entry.FullName);

                        Directory.CreateDirectory(Path.GetDirectoryName(destFilePath));

@@ -94,6 +94,15 @@ namespace ZipSlip
                                Console.WriteLine(@"Writing ""{0}""", destFilePath);
                                archiveFileStream.CopyTo(fs);
                            }
+
+                            // GOOD: Use substring to pick out single component
+                            string fileName = destFilePath.Substring(destFilePath.LastIndexOf("\\"));
+                            var fileInfo2 = new FileInfo(fileName);
+                            using (FileStream fs = fileInfo2.Open(FileMode.Create))
+                            {
+                                Console.WriteLine(@"Writing ""{0}""", destFilePath);
+                                archiveFileStream.CopyTo(fs);
+                            }
                        }
                    }
                }