From 23e2a8f052bb0c2b72637f30fd3ebaa845075d2e Mon Sep 17 00:00:00 2001
From: Wander Lairson Costa <wcosta@mozilla.com>
Date: Thu, 7 Jun 2018 10:01:46 -0300
Subject: [PATCH] Bug 1466872: Fix zip slip vulnerability

Ref: https://snyk.io/research/zip-slip-vulnerability
---
 aws.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/aws.go b/aws.go
index 6ded10b7..9dfdf858 100644
--- a/aws.go
+++ b/aws.go
@@ -6,6 +6,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"log"
@@ -150,6 +151,11 @@ func Unzip(b []byte, dest string) error {
 
 		path := filepath.Join(dest, f.Name)
 
+		// Fix for https://snyk.io/research/zip-slip-vulnerability
+		if !strings.HasPrefix(path, dest) {
+			return fmt.Errorf("%s: illegal path", f.Name)
+		}
+
 		if f.FileInfo().IsDir() {
 			os.MkdirAll(path, f.Mode())
 		} else {