X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=vendor%2Fgithub.com%2Fhashicorp%2Fgo-getter%2Fdecompress_zip.go;h=0830f79143e790a4e78d98b97939434ebfc5eb82;hb=b74d3065f299a1953e6d21e3d48d3ce0629bcaf7;hp=a065c076ffe3a1f1d56b0418b794ddd4977ad664;hpb=21252084ae8c5f3321b45008fd5a6b162b293407;p=github%2Ffretlink%2Fterraform-provider-statuscake.git

diff --git a/vendor/github.com/hashicorp/go-getter/decompress_zip.go b/vendor/github.com/hashicorp/go-getter/decompress_zip.go
index a065c07..0830f79 100644
--- a/vendor/github.com/hashicorp/go-getter/decompress_zip.go
+++ b/vendor/github.com/hashicorp/go-getter/decompress_zip.go
@@ -9,7 +9,7 @@ import (
 )
 
 // ZipDecompressor is an implementation of Decompressor that can
-// decompress tar.gzip files.
+// decompress zip files.
 type ZipDecompressor struct{}
 
 func (d *ZipDecompressor) Decompress(dst, src string, dir bool) error {
@@ -42,6 +42,11 @@ func (d *ZipDecompressor) Decompress(dst, src string, dir bool) error {
 	for _, f := range zipR.File {
 		path := dst
 		if dir {
+			// Disallow parent traversal
+			if containsDotDot(f.Name) {
+				return fmt.Errorf("entry contains '..': %s", f.Name)
+			}
+
 			path = filepath.Join(path, f.Name)
 		}