From 3006c5a462e9d3923f7ede3fda22bc24968af575 Mon Sep 17 00:00:00 2001
From: fernandofatech <fernandofatech@icloud.com>
Date: Fri, 15 May 2026 23:36:25 -0300
Subject: [PATCH] fix: clean zip entry paths before extraction

---
 internal/cache/cache.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/internal/cache/cache.go b/internal/cache/cache.go
index eb0d5b1..b290819 100644
--- a/internal/cache/cache.go
+++ b/internal/cache/cache.go
@@ -245,7 +245,12 @@ func ExtractZipFile(filePath string) (string, error) {
 			if strings.HasSuffix(f.Name, "/") {
 				continue
 			}
-			outputFilename := filepath.Join(cacheFilePath, f.Name)
+			cleanName := filepath.Clean(f.Name)
+			if filepath.IsAbs(cleanName) || cleanName == ".." || strings.HasPrefix(cleanName, ".."+string(os.PathSeparator)) {
+				return "", fmt.Errorf("zip entry escapes cache directory: %s", f.Name)
+			}
+
+			outputFilename := filepath.Join(cacheFilePath, cleanName)
 			cleanOutputPath, err := filepath.Abs(outputFilename)
 			if err != nil {
 				return "", fmt.Errorf("cannot resolve zip entry path(%s): %v", f.Name, err)