(CodeQL) Fixed finding: "Arbitrary file access during archive extraction ("Zip Slip")

" (#2344)

(CodeQL) Fixed finding: "Arbitrary file access during archive extraction ("Zip Slip")
"

Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>

src/main/java/stirling/software/SPDF/utils/FileToPdf.java

@@ -105,7 +105,7 @@ public class FileToPdf {
                         new ByteArrayInputStream(Files.readAllBytes(zipFilePath)))) {
             ZipEntry entry = zipIn.getNextEntry();
             while (entry != null) {
-                Path filePath = tempUnzippedDir.resolve(entry.getName());
+                Path filePath = tempUnzippedDir.resolve(sanitizeZipFilename(entry.getName()));
                 if (!entry.isDirectory()) {
                     Files.createDirectories(filePath.getParent());
                     if (entry.getName().toLowerCase().endsWith(".html")
@@ -175,7 +175,7 @@ public class FileToPdf {
                 ZipSecurity.createHardenedInputStream(new ByteArrayInputStream(fileBytes))) {
             ZipEntry entry = zipIn.getNextEntry();
             while (entry != null) {
-                Path filePath = tempDirectory.resolve(entry.getName());
+                Path filePath = tempDirectory.resolve(sanitizeZipFilename(entry.getName()));
                 if (entry.isDirectory()) {
                     Files.createDirectories(filePath); // Explicitly create the directory structure
                 } else {
@@ -241,4 +241,14 @@ public class FileToPdf {
             Files.deleteIfExists(tempOutputFile);
         }
     }
+    
+    static String sanitizeZipFilename(String entryName) {
+        if (entryName == null || entryName.trim().isEmpty()) {
+            return entryName;
+        }
+        while (entryName.contains("../") || entryName.contains("..\\")) {
+            entryName = entryName.replace("../", "").replace("..\\", "");
+        }
+        return entryName;
+    }
 }