Cherry pick branch 'genexuslabs:fix/code-ql-redos-log-forging' into beta

claudiamurialdo · Beta Bot · commit 79cf80ec763a · 2025-12-02T17:13:33.000Z
diff --git a/dotnet/src/dotnetframework/GxCompress/GXCompressor.cs b/dotnet/src/dotnetframework/GxCompress/GXCompressor.cs
@@ -603,6 +603,14 @@ private static void DecompressZip(FileInfo file, string outputPath)
 				foreach (var entry in archive.Entries)
 				{
 					string fullPath = Path.Combine(outputPath, entry.FullName);
+					string destFileName = Path.GetFullPath(fullPath);
+					string fullDestDirPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar);
+					if (!destFileName.StartsWith(fullDestDirPath))
+					{
+						throw new InvalidOperationException("Entry is outside the target dir: " + destFileName);
+					}
+
+
 					if (string.IsNullOrEmpty(entry.Name))
 					{
 						Directory.CreateDirectory(fullPath);
@@ -742,6 +750,14 @@ private static void DecompressJar(FileInfo file, string outputPath)
 				foreach (var entry in archive.Entries)
 				{
 					string destinationPath = Path.Combine(outputPath, entry.FullName);
+					string destFileName = Path.GetFullPath(destinationPath);
+					string fullDestDirPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar);
+					if (!destFileName.StartsWith(fullDestDirPath))
+					{
+						throw new InvalidOperationException("Entry is outside the target dir: " + destFileName);
+					}
+
+
 					if (string.IsNullOrEmpty(entry.Name))
 					{
 						Directory.CreateDirectory(destinationPath);
