From bf4fd6e05e748890e4dbe6923fe75f90c350c463 Mon Sep 17 00:00:00 2001
From: zhenliemao <494822673@qq.com>
Date: Tue, 23 Jun 2026 15:21:11 +0800
Subject: [PATCH] Fix zip slip vulnerability by adding path traversal
 protection in _extract_zip

---
 src/skillspector/input_handler.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/skillspector/input_handler.py b/src/skillspector/input_handler.py
index e511281..89537ba 100644
--- a/src/skillspector/input_handler.py
+++ b/src/skillspector/input_handler.py
@@ -179,6 +179,10 @@ def _extract_zip(self, zip_path: Path) -> Path:
         extract_dir.mkdir(exist_ok=True)
         try:
             with zipfile.ZipFile(zip_path, "r") as zf:
+                for member in zf.infolist():
+                    member_path = (extract_dir / member.filename).resolve()
+                    if not member_path.is_relative_to(extract_dir):
+                        raise ValueError(f"Invalid zip entry: {member.filename} (path traversal attempt)")
                 zf.extractall(extract_dir)
         except zipfile.BadZipFile:
             logger.warning("Invalid zip or extract failed: %s", zip_path)