From bbb9491aef0f1917396cb8b20530a599e946d25a Mon Sep 17 00:00:00 2001
From: GitHub User <494822673@qq.com>
Date: Sat, 20 Jun 2026 16:59:14 +0800
Subject: [PATCH] fix(security): prevent Zip Slip path traversal vulnerability
 in input_handler

This change fixes CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability by using Python 3.12+'s built-in  parameter in extractall(), which automatically rejects:
- Path traversal sequences (../)
- Symbolic links
- Device files and other special files

Fixes #109

Signed-off-by: GitHub User <494822673@qq.com>
---
 src/skillspector/input_handler.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/skillspector/input_handler.py b/src/skillspector/input_handler.py
index e511281..3f28253 100644
--- a/src/skillspector/input_handler.py
+++ b/src/skillspector/input_handler.py
@@ -179,7 +179,7 @@ def _extract_zip(self, zip_path: Path) -> Path:
         extract_dir.mkdir(exist_ok=True)
         try:
             with zipfile.ZipFile(zip_path, "r") as zf:
-                zf.extractall(extract_dir)
+                zf.extractall(extract_dir, filter="data")
         except zipfile.BadZipFile:
             logger.warning("Invalid zip or extract failed: %s", zip_path)
             raise ValueError(f"Invalid zip file: {zip_path}") from None