Missing protection against 'Zip Slip' path traversal

  • Rule ID: go_gosec_filesystem_ziparchive
  • Languages: go
  • Source: ziparchive.yml


Your application is vulnerable to a 'Zip Slip' path traversal attack when it extracts files from archives that are not trusted. This occurs because malicious archives may contain files with relative paths aiming to escape the intended directory. As a result, these files could overwrite important system files or be placed in sensitive locations, leading to security breaches.


  • Do implement checks to limit the zip archive's size. This prevents 'Zip Bombs', which are archives that decompress into sizes much larger than expected. For example, use file.UncompressedSize64 to check the size of a file within a ZIP file.
  • Do generate unique filenames for extracted files or sanitize the original filenames to avoid overwriting files intentionally. You can use filepath.Base, for example, to extract the filename from a path and discard any directory information.
    name := filepath.Base(file.Name)
  • Do validate the paths of extracted files to ensure they are written to a specified, trusted directory without traversing outside of it.
  • Do process only regular files. Exclude symbolic links to prevent indirect file read/write vulnerabilities.
    if !file.Mode().IsRegular() {
    log.Fatal("non-regular file: %s\n", file.Name)
  • Do ensure directories within the zip archive are processed securely by cleaning the path and strictly validating it against the base path.


Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_filesystem_ziparchive

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_filesystem_ziparchive