/**

* @name Arbitrary file access during archive extraction ("Zip Slip")

* @description Extracting files from a malicious ZIP file, or similar type of archive, without

* validating that the destination file path is within the destination directory

* can allow an attacker to unexpectedly gain access to resources.

* @kind path-problem

* @id go/zipslip

* @problem.severity error

* @security-severity 7.5

* @precision high

* @tags security

* external/cwe/cwe-022

*/

import go

import semmle.go.security.ZipSlip

import ZipSlip::Flow::PathGraph

from ZipSlip::Flow::PathNode source, ZipSlip::Flow::PathNode sink

where ZipSlip::Flow::flowPath(source, sink)

select source.getNode(), source, sink,

"Unsanitized archive entry, which may contain '..', is used in a $@.", sink.getNode(),

"file system operation"