Potential fix for code scanning alert no. 4: Arbitrary file access during archive extraction ("Zip Slip") (microsoft#6909)

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: 2 people

tests/Microsoft.Bot.Builder.Tests/TranscriptUtilities.cs

@@ -161,14 +161,22 @@ private static void ExtractZipFolder(string zipFilePath, string zipFolder, strin
                 {
                     var entryName = entry.FullName.Remove(0, zipFolderEntry.FullName.Length);
 
+                    // Compute the full extraction path and resolve to prevent Zip Slip
+                    var destinationPath = Path.GetFullPath(Path.Combine(path, entryName));
+                    var fullExtractionRoot = Path.GetFullPath(path + Path.DirectorySeparatorChar);
+                    if (!destinationPath.StartsWith(fullExtractionRoot, StringComparison.Ordinal))
+                    {
+                        throw new InvalidOperationException($"Entry is outside the target dir: {destinationPath}");
+                    }
+
                     if (string.IsNullOrEmpty(entry.Name))
                     {
                         // No Name, it is a folder
-                        CreateDirectoryIfNotExists(Path.Combine(path, entryName));
+                        CreateDirectoryIfNotExists(destinationPath);
                     }
                     else
                     {
-                        entry.ExtractToFile(Path.Combine(path, entryName), overwrite: true);
+                        entry.ExtractToFile(destinationPath, overwrite: true);
                     }
                 }
             }