From 181b054674f7be0f206b7806283cc3ea54afc9f4 Mon Sep 17 00:00:00 2001
From: Zulkhair Abdullah Daim <53172227+zulkhair@users.noreply.github.com>
Date: Fri, 20 Sep 2024 17:32:05 +0700
Subject: [PATCH] Fix code scanning alert #1: Arbitrary file access during
 archive extraction ("Zip Slip")

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 common/teacmd/editor.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/common/teacmd/editor.go b/common/teacmd/editor.go
index fef64d9..a95be27 100644
--- a/common/teacmd/editor.go
+++ b/common/teacmd/editor.go
@@ -202,7 +202,10 @@ func unzipFile(filename string, targetDir string) error {
 	var originalDir string
 	for i, file := range reader.File {
 		if i == 0 {
-			originalDir = file.Name
+			originalDir, err = sanitizeExtractPath(filepath.Dir(targetDir), file.Name)
+			if err != nil {
+				return err
+			}
 		}
 
 		src, err := file.Open()
@@ -235,7 +238,7 @@ func unzipFile(filename string, targetDir string) error {
 		dst.Close()
 	}
 
-	if err = os.Rename(filepath.Join(filepath.Dir(targetDir), originalDir), targetDir); err != nil {
+	if err = os.Rename(originalDir, targetDir); err != nil {
 		return err
 	}