From a93479124c110e63465a8dc14f2c5a5fabd32bc9 Mon Sep 17 00:00:00 2001
From: wwqgtxx <wwqgtxx@gmail.com>
Date: Tue, 20 May 2025 00:00:07 +0800
Subject: [PATCH] chore: stricter path checking when unpacking zip/tgz

---
 component/updater/update_ui.go | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/component/updater/update_ui.go b/component/updater/update_ui.go
index 5fa912e15..4d1e98edd 100644
--- a/component/updater/update_ui.go
+++ b/component/updater/update_ui.go
@@ -221,7 +221,7 @@ func unzip(src, dest string) (string, error) {
 			fpath = filepath.Join(extractedFolder, f.Name)
 		}
 
-		if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
+		if !inDest(fpath, dest) {
 			return "", fmt.Errorf("invalid file path: %s", fpath)
 		}
 		info := f.FileInfo()
@@ -344,7 +344,7 @@ func untgz(src, dest string) (string, error) {
 			fpath = filepath.Join(extractedFolder, cleanTarPath(header.Name))
 		}
 
-		if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
+		if !inDest(fpath, dest) {
 			return "", fmt.Errorf("invalid file path: %s", fpath)
 		}
 
@@ -421,3 +421,12 @@ func cleanup(root string) error {
 		return nil
 	})
 }
+
+func inDest(fpath, dest string) bool {
+	if rel, err := filepath.Rel(dest, fpath); err == nil {
+		if filepath.IsLocal(rel) {
+			return true
+		}
+	}
+	return false
+}