From 6815cdbda4687df62d7978ff3fcd040b8a21f97e Mon Sep 17 00:00:00 2001 From: kolaente Date: Tue, 24 Feb 2026 20:36:28 +0100 Subject: [PATCH] fix(migration): reject zip entries with path traversal in vikunja-file import --- pkg/modules/migration/vikunja-file/vikunja.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkg/modules/migration/vikunja-file/vikunja.go b/pkg/modules/migration/vikunja-file/vikunja.go index 0c2b5a0b8..32a3a2aa5 100644 --- a/pkg/modules/migration/vikunja-file/vikunja.go +++ b/pkg/modules/migration/vikunja-file/vikunja.go @@ -30,6 +30,7 @@ import ( "code.vikunja.io/api/pkg/models" "code.vikunja.io/api/pkg/modules/migration" "code.vikunja.io/api/pkg/user" + "code.vikunja.io/api/pkg/utils" vversion "code.vikunja.io/api/pkg/version" "github.com/hashicorp/go-version" @@ -80,8 +81,12 @@ func (v *FileMigrator) Migrate(user *user.User, file io.ReaderAt, size int64) er var versionFile *zip.File storedFiles := make(map[int64]*zip.File) for _, f := range r.File { + if utils.ContainsPathTraversal(f.Name) { + return fmt.Errorf("unsafe path in zip archive: %q", f.Name) + } + if strings.HasPrefix(f.Name, "files/") { - fname := strings.ReplaceAll(f.Name, "files/", "") + fname := strings.TrimPrefix(f.Name, "files/") id, err := strconv.ParseInt(fname, 10, 64) if err != nil { return fmt.Errorf("could not convert file id: %w", err)