3 files changed, 47 insertions, 2 deletions

diff --git a/Software/Visual_Studio/PPC/Packages/Tango.PPC.Packages.CefInstaller/CefInstaller.cs b/Software/Visual_Studio/PPC/Packages/Tango.PPC.Packages.CefInstaller/CefInstaller.cs
index 62a1d5717..b302bd1d4 100644
--- a/Software/Visual_Studio/PPC/Packages/Tango.PPC.Packages.CefInstaller/CefInstaller.cs
+++ b/Software/Visual_Studio/PPC/Packages/Tango.PPC.Packages.CefInstaller/CefInstaller.cs
@@ -36,7 +36,10 @@ namespace Tango.PPC.Packages.CefInstaller
                         downloader.Download().GetAwaiter().GetResult();
                     }
 
-                    ZipFile.ExtractToDirectory(zipFile, context.ApplicationManager.StartPath);
+                    using (ZipArchive zip = ZipFile.OpenRead(zipFile))
+                    {
+                        zip.ExtractToDirectory(context.ApplicationManager.StartPath, true);
+                    }
                 }
                 catch (Exception ex)
                 {
diff --git a/Software/Visual_Studio/Tango.Core/ExtensionMethods/ZipArchiveExtensions.cs b/Software/Visual_Studio/Tango.Core/ExtensionMethods/ZipArchiveExtensions.cs
new file mode 100644
index 000000000..15aba05bd
--- /dev/null
+++ b/Software/Visual_Studio/Tango.Core/ExtensionMethods/ZipArchiveExtensions.cs
@@ -0,0 +1,39 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.IO.Compression;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+public static class ZipArchiveExtensions
+{
+    public static void ExtractToDirectory(this ZipArchive archive, string destinationDirectoryName, bool overwrite)
+    {
+        if (!overwrite)
+        {
+            archive.ExtractToDirectory(destinationDirectoryName);
+            return;
+        }
+
+        DirectoryInfo di = Directory.CreateDirectory(destinationDirectoryName);
+        string destinationDirectoryFullPath = di.FullName;
+
+        foreach (ZipArchiveEntry file in archive.Entries)
+        {
+            string completeFileName = Path.GetFullPath(Path.Combine(destinationDirectoryFullPath, file.FullName));
+
+            if (!completeFileName.StartsWith(destinationDirectoryFullPath, StringComparison.OrdinalIgnoreCase))
+            {
+                throw new IOException("Trying to extract file outside of destination directory. See this link for more info: https://snyk.io/research/zip-slip-vulnerability");
+            }
+
+            if (file.Name == "")
+            {
+                Directory.CreateDirectory(Path.GetDirectoryName(completeFileName));
+                continue;
+            }
+            file.ExtractToFile(completeFileName, true);
+        }
+    }
+}
diff --git a/Software/Visual_Studio/Tango.Core/Tango.Core.csproj b/Software/Visual_Studio/Tango.Core/Tango.Core.csproj
index 06c6e5a22..891c5e58f 100644
--- a/Software/Visual_Studio/Tango.Core/Tango.Core.csproj
+++ b/Software/Visual_Studio/Tango.Core/Tango.Core.csproj
@@ -72,6 +72,8 @@
     </Reference>
     <Reference Include="System.Drawing" />
     <Reference Include="System.IdentityModel" />
+    <Reference Include="System.IO.Compression" />
+    <Reference Include="System.IO.Compression.FileSystem" />
     <Reference Include="System.Net.Http" />
     <Reference Include="System.Runtime.Serialization" />
     <Reference Include="System.Windows" />
@@ -92,6 +94,7 @@
     <Compile Include="CustomAttributes\PropertyIndexAttribute.cs" />
     <Compile Include="CustomAttributes\StringFormatAttribute.cs" />
     <Compile Include="ExtensionMethods\ByteArrayExtensions.cs" />
+    <Compile Include="ExtensionMethods\ZipArchiveExtensions.cs" />
     <Compile Include="IO\KnownFolders.cs" />
     <Compile Include="Json\ProtobufContractResolver.cs" />
     <Compile Include="Threading\ActionTimer.cs" />
@@ -202,7 +205,7 @@
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <ProjectExtensions>
     <VisualStudio>
-      <UserProperties BuildVersion_AssemblyInfoFilename="Properties\AssemblyInfo.cs" BuildVersion_UpdateAssemblyVersion="True" BuildVersion_BuildVersioningStyle="None.None.Increment.TimeStamp" BuildVersion_UseGlobalSettings="False" BuildVersion_StartDate="2000/1/1" />
+      <UserProperties BuildVersion_StartDate="2000/1/1" BuildVersion_UseGlobalSettings="False" BuildVersion_BuildVersioningStyle="None.None.Increment.TimeStamp" BuildVersion_UpdateAssemblyVersion="True" BuildVersion_AssemblyInfoFilename="Properties\AssemblyInfo.cs" />
     </VisualStudio>
   </ProjectExtensions>
   <Import Project="..\packages\System.Data.SQLite.Core.1.0.108.0\build\net46\System.Data.SQLite.Core.targets" Condition="Exists('..\packages\System.Data.SQLite.Core.1.0.108.0\build\net46\System.Data.SQLite.Core.targets')" />