Golang Snippet #07
This challenge covers the review of a snippet of code written in Golang
In this lab, we examine a snippet of Golang code featuring a function named Unzip that takes a source and destination as arguments and returns an array of filenames and an error. The function extracts files from a zip archive, creating directories and files as necessary. However, the function is vulnerable to directory traversal attacks due to the unsafe concatenation of the destination path and the file names within the zip archive. This vulnerability could allow an attacker to overwrite sensitive files outside the intended directory.
The video explains each step of the code in detail, highlighting the key operations and where the vulnerability lies. Specifically, it points out that the code should ensure the extracted file paths start with the destination directory to prevent directory traversal. This is a common issue when dealing with paths provided by potentially untrusted sources. Proper validation and sanitization of paths are critical to mitigating such risks.