archive/tar package. Reader.Next() returns headers with user-controlled filenames — Zip Slip path traversal sink when extracting to filesystem.
.Next().Next()SourceNext() (*Header, error)
Advances to next entry. Header.Name is user-controlled — Zip Slip path traversal sink.
return| FQN | Field | |
|---|---|---|
| archive/tar | fqns[0] |
Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.
// standard library — no go.mod entry required
from codepathfinder.go_rule import GoArchiveTar