security: sanitize filenames used in multi-file zip uploads (ai:gpt-5) #51

New issue

Closed

opened 2026-05-23 22:09:04 +02:00 by heiko · 0 comments

heiko commented 2026-05-23 22:09:04 +02:00

Owner

Copy link

Finding from a whole-codebase security review.

Affected code:

• cmd/once-server/upload.go:163-181 creates zip entries from filepath.Join(basename, f.Filename).

Impact:
Multipart filenames are client-controlled. A filename containing path traversal, an absolute path, or platform-specific separators can become a dangerous zip entry name. Recipients who extract the generated archive with vulnerable tooling may write files outside the intended extraction directory. Single-file uploads use filepath.Base; the multi-file zip path does not.

Suggested fix:

• Sanitize each zip entry name before zipW.CreateHeader.
• Use portable slash-separated zip names, reject absolute paths, drive letters, empty names, and any . or .. segment.
• Consider flattening to filepath.Base unless preserving directories is an explicit feature.
• Add tests with filenames like ../secret, /tmp/secret, a/../../secret, and Windows-style paths.

Finding from a whole-codebase security review. Affected code: - cmd/once-server/upload.go:163-181 creates zip entries from `filepath.Join(basename, f.Filename)`. Impact: Multipart filenames are client-controlled. A filename containing path traversal, an absolute path, or platform-specific separators can become a dangerous zip entry name. Recipients who extract the generated archive with vulnerable tooling may write files outside the intended extraction directory. Single-file uploads use `filepath.Base`; the multi-file zip path does not. Suggested fix: - Sanitize each zip entry name before `zipW.CreateHeader`. - Use portable slash-separated zip names, reject absolute paths, drive letters, empty names, and any `.` or `..` segment. - Consider flattening to `filepath.Base` unless preserving directories is an explicit feature. - Add tests with filenames like `../secret`, `/tmp/secret`, `a/../../secret`, and Windows-style paths.

heiko added the

security

label 2026-05-24 18:44:09 +02:00

heiko referenced this issue from a commit 2026-05-24 20:36:04 +02:00

security: sanitize filenames in multi-file zip uploads (fixes #51) ai:claude-sonnet-4-5

heiko referenced this issue from a commit 2026-05-24 20:43:23 +02:00

Merge branch 'fix/51-zip-slip' into security/all-fixes

heiko referenced this issue from a commit 2026-05-24 20:43:23 +02:00

Merge security fixes #51 and #48: combine zip-slip and upload-limit tests

heiko referenced this issue 2026-05-24 20:44:00 +02:00

security: comprehensive fixes for issues #48, #50, #51, #52, #53 ai:claude-sonnet-4-5 #61

heiko referenced this issue 2026-05-24 20:44:20 +02:00

security: comprehensive fixes for issues #48, #50, #51, #52, #53 ai:claude-sonnet-4-5 #61

heiko referenced this issue 2026-05-24 20:46:14 +02:00

security: comprehensive fixes for issues #48, #50, #51, #52, #53 ai:claude-sonnet-4-5 #61

heiko referenced this issue 2026-05-24 20:50:14 +02:00

security: comprehensive fixes for issues #48, #50, #51, #52, #53 ai:claude-sonnet-4-5 #61

heiko closed this issue 2026-05-24 20:56:24 +02:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

nagonag/update-master

fix/44-log-removal-details

debian

once.css

dev

v2.5.13-0.20260527114056-db01c609fc25

deb/v2.5.12-1

v2.5.12

deb/v2.5.11-1

v2.5.11

deb/v2.5.10-0.20260524190140-f81a5573a1da-2

deb/v2.5.10-0.20260524190140-f81a5573a1da-1

v2.5.10-0.20260524190140-f81a5573a1da

v2.5.10-0.20260524132651-90531c0633c8

v2.5.9

v2.5.9-0.20260524121920-a8bd0d1e45a4

v2.5.9-0.20260524115638-1a8fe03c73c5

deb/v2.5.8-1

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.4-0.20250910115912-7b669c0bd9aa

v0.0.0-20250910115912-7b669c0bd9aa

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v0.0.0-20250519211121-6ae54abed7ef

v2.4.4

v2.4.3

debian/2.4.2-1

v2.4.2

debian/2.4.1-1

v2.4.1

debian/2.4-1

v2.4

v2.3

debian/2.2-1-g04382ef-1

v2.2-1-g04382ef

debian/2.2-1

v2.2

debian/2.1-1

v2.1

debian/2.0-1

v2.0

debian/1.3-1-gbfa9b7c-1

v1.3-1-gbfa9b7c

debian/1.3-1

v1.3

debian/1.2-11-g73e5390-1

1.2-11-g73e5390

debian/1.2-1

1.2

debian/1.1-1

1.1

debian/1.0-1

1.0

debian/0.3-4-gf628485-1

0.3-4-gf628485

debian/0.3-3-g94ce876-1

0.3-3-g94ce876

debian/0.3-2

0.3

debian/0.2.5-7

debian/0.2.5-6

debian/0.2.5-5

debian/0.2.5-4

debian/0.2.5-3

debian/0.2.5-2

debian/0.2.5-1

0.2.5

debian/0.2.4-1

0.2.4

debian/0.2.3-1

0.2.3

debian/0.2.2-0

0.2.2

0.2.1

0.2

0.1

Labels

Clear labels   

nagonag

Automated dependency scan finding

  

nagonag/ignore

Ignore this nagonag finding

  

bug

Something is not working

  

doc

Missing or wrong documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

security

This is security relevant

  

wontfix

This won't be fixed

No labels

nagonag

nagonag/ignore

bug

doc

duplicate

enhancement

help wanted

invalid

question

security

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

IUS/once#51

No description provided.