Fix: Apply path traversal guard to WriteAllToZip() matching WriteAllToDisk() (#27171)
This PR applies the same path traversal guard already present in `WriteAllToDisk()` to `WriteAllToZip()`. A plugin returning a filename like `../../PWNED.txt` is blocked for directory output, but currently slips silently into an archive, enabling Zip Slip-style entries. This fix adds an identical `..` check and returns an error to prevent traversal injection in .zip / .jar / .srcjar output. Closes #27170 Closes #27171 COPYBARA_INTEGRATE_REVIEW=https://github.com/protocolbuffers/protobuf/pull/27171 from mrknight-n1du:main 95254bf142ae7be26cab82a6c51b63deb097b9d3 PiperOrigin-RevId: 911318632
M
MRKNIGHTNIDU committed
28bef9809e4d1f5f3b6da2a4a26a3bd5b488136b
Parent: 66ee711
Committed by Copybara-Service <copybara-worker@google.com>
on 5/6/2026, 2:15:25 PM