Potential fix for code scanning alert no. 8: Arbitrary file access during archive extraction ("Zip Slip")

[010secureng]

Potential fix for https://github.com/010secureng/pyroscope/security/code-scanning/8

To fix this vulnerability, we must ensure that, after stripping path components and constructing the output path, the final resolved (absolute and cleaned) path is strictly within the intended extraction directory (destPath). This check should occur right before any file system operation (file creation, directory creation, etc). If a path falls outside the destination root, the file/directory extraction should be skipped or raise an error.

Steps to implement:

1. After calling clearPath, resolve the absolute paths for both destPath (the output root) and p (the target output path).
2. Check that p has destPath as its prefix (with proper path separator checks to avoid partial matches).
3. Only proceed with file/directory creation if the check passes.
4. Apply this check consistently in both extractZip and extractTarGz before creating files and directories.

The verification code requires only the Go standard library (filepath.Abs, filepath.Clean, and string prefix match with path separator).

Changes needed:

• Add the path check logic into extractZip and extractTarGz, after constructing p and before all file system operations.
• Could add a utility function for this check.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.