hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Apply code review suggestions.

Browse Source 
Co-authored-by: Asger F <asgerf@github.com>
This commit is contained in:
Tony Torralba
2023-06-19 10:18:02 +02:00
parent 433fc680ec
commit 3c4d938cf1
6 changed files with 18 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
python/ql/src/experimental/Security/CWE-022/ZipSlip.qhelp
View File

@@ -4,10 +4,9 @@
<qhelp>
<overview>
<p>Accessing filesystem paths built from the name of an archive entry without validating that the
destination file path is within the destination directory can allow an attacker to access
unexpected resources, due to the possible presence of directory traversal elements (<code>..</code>) in
archive paths.</p>
<p>Extracting files from a malicious zip file, or similar type of archive,
is at risk of directory traversal attacks if filenames from the archive are
not properly validated.</p>
<p>Zip archives contain archive entries representing each file in the archive. These entries
include a file path for the entry, but these file paths are not restricted and may contain