GoArchiveZip

archive/zip package. OpenReader() and File[].Name are sources of user-controlled filenames — Zip Slip path traversal when extracting.

1 source

Taint flow1 source → 0 sinks

Sources — untrusted input

.OpenReader()Opens zip file for reading

Sources

— user-controlled input enters here

.OpenReader()Source

Signature

OpenReader(name string) (*ReadCloser, error)

Opens zip file for reading. File.Name fields are user-controlled — Zip Slip source.

FQN	Field
archive/zip	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

go.mod

// standard library — no go.mod entry required

rule.py

from codepathfinder.go_rule import GoArchiveZip