From bb1b1f6adc6ab880b9a2c768fa7056450ccf70f9 Mon Sep 17 00:00:00 2001
From: raizasafeel <89463672+raizasafeel@users.noreply.github.com>
Date: Mon, 30 Mar 2026 14:48:42 +0530
Subject: [PATCH] fix: prevent path transversals in scorm upload

---
 lms/lms/api.py | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/lms/lms/api.py b/lms/lms/api.py
index 0819fd62..eaa70e3d 100644
--- a/lms/lms/api.py
+++ b/lms/lms/api.py
@@ -1004,9 +1004,20 @@ def upsert_chapter(
 def extract_package(course: str, title: str, scorm_package: dict):
 	package = frappe.get_doc("File", scorm_package.name)
 	zip_path = package.get_full_path()
-	# check_for_malicious_code(zip_path)
+	scorm_root = os.path.realpath(frappe.get_site_path("public", "scorm"))
 	extract_path = frappe.get_site_path("public", "scorm", course, title)
-	zipfile.ZipFile(zip_path).extractall(extract_path)
+
+	if not os.path.realpath(extract_path).startswith(scorm_root + os.sep):
+		frappe.throw(_("Invalid course or chapter name"))
+
+	with zipfile.ZipFile(zip_path, "r") as zf:
+		dest = os.path.realpath(extract_path)
+		for name in zf.namelist():
+			target = os.path.realpath(os.path.join(extract_path, name))
+			if not target.startswith(dest + os.sep) and target != dest:
+				frappe.throw(_("Invalid file path in package"))
+		zf.extractall(extract_path)
+
 	return extract_path