Potential Zip Slip vulnerability in IDML extraction

[prasunsrivastav123-lang]

The save_idml_file() function uses ZipFile.extractall() without validating archive member paths. This may allow path traversal (Zip Slip) if a malicious IDML file is supplied via --inputfile.

We should ensure extracted files remain inside the intended directory before writing them to disk.

[prasunsrivastav123-lang]

@sydseter can you review this issue ?

can i work on this?

[khushal-winner]

hey @prasunsrivastav123-lang , please use proper bug template to report any bug and save_idml_file() uses _safe_extractall(), not ZipFile.extractall() the same secure function used by save_odt_file(), which resolves symlinks via os.path.realpath(), enforces strict directory boundary checks, and raises a ValueError on any traversal attempt. The vulnerability you're describing doesn't exist in this codebase; the protection is already there and it's thorough.

[prasunsrivastav123-lang]

@khushal-winner I must have missed the _safe_extractall() implementation while reviewing the file. Appreciate you pointing it out.

I'll review the codebase more carefully and make sure to use the proper bug template next time.