Expected Findings
- Archive entries are joined into the upload root without normalization.
- `..` segments escape the intended directory.
- Both POSIX and Windows path separators are honored.
Archive Importer
Zip Slip
The archive extractor writes each entry to disk using its raw filename, so a crafted archive can drop files outside the upload directory.
Extract probe
Primary Flows
- Extract POST entries with traversal
- Last extraction Shows resolved paths
Signals
Write
os.WriteFile(filepath.Join(uploadRoot, entry.Name), entry.Data, 0644)