From 50da8eefe880aeec7b5cbf102a9f80dba3702d74 Mon Sep 17 00:00:00 2001
From: Nicolas Will <nicolaswill@github.com>
Date: Mon, 17 Jun 2024 12:53:45 +0200
Subject: [PATCH] Fix ZipSlip vuln and integer conversion issue

---
 cmd/agent/main.go |  2 +-
 utils/archive.go  | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/cmd/agent/main.go b/cmd/agent/main.go
index fa718ce..c99ce2e 100644
--- a/cmd/agent/main.go
+++ b/cmd/agent/main.go
@@ -136,7 +136,7 @@ func main() {
 	rmqUser := os.Getenv("MRVA_RABBITMQ_USER")
 	rmqPass := os.Getenv("MRVA_RABBITMQ_PASSWORD")
 
-	rmqPortAsInt, err := strconv.Atoi(rmqPort)
+	rmqPortAsInt, err := strconv.ParseInt(rmqPort, 10, 16)
 	if err != nil {
 		slog.Error("Failed to parse RabbitMQ port", slog.Any("error", err))
 		os.Exit(1)
diff --git a/utils/archive.go b/utils/archive.go
index 6b4edf7..13aa6c3 100644
--- a/utils/archive.go
+++ b/utils/archive.go
@@ -4,9 +4,11 @@ import (
 	"archive/tar"
 	"archive/zip"
 	"compress/gzip"
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 )
 
 // UnzipFile extracts a zip file to the specified destination
@@ -19,6 +21,12 @@ func UnzipFile(zipFile, dest string) error {
 
 	for _, f := range r.File {
 		fPath := filepath.Join(dest, f.Name)
+
+		// mitigate ZipSlip
+		if !strings.HasPrefix(filepath.Clean(fPath), filepath.Clean(dest)+string(os.PathSeparator)) {
+			return fmt.Errorf("illegal file path: %s", fPath)
+		}
+
 		if f.FileInfo().IsDir() {
 			if err := os.MkdirAll(fPath, os.ModePerm); err != nil {
 				return err
@@ -84,6 +92,12 @@ func Untar(r io.Reader, dest string) error {
 		}
 
 		fPath := filepath.Join(dest, header.Name)
+
+		// mitigate ZipSlip
+		if !strings.HasPrefix(filepath.Clean(fPath), filepath.Clean(dest)+string(os.PathSeparator)) {
+			return fmt.Errorf("illegal file path: %s", fPath)
+		}
+
 		if header.Typeflag == tar.TypeDir {
 			if err := os.MkdirAll(fPath, os.ModePerm); err != nil {
 				return err