Potential fix for code scanning alert no. 1: Arbitrary file access during archive extraction ("Zip Slip")

[OMGSoundboard]

Potential fix for https://github.com/OMGSoundboard/android-app/security/code-scanning/1

To fix the "Zip Slip" vulnerability, we must ensure that files extracted from the zip archive are only written inside the intended destination directory (privateFolder). This is done by constructing the output file path, normalizing it, and verifying that it starts with the destination directory's normalized path. If the check fails, we should skip extraction of that entry or throw an exception.

Specifically, in restoreBackup, before creating extractedFile and writing to it, we should:

• Construct the output path using File(privateFolder, entry.name).
• Normalize the path using toPath().normalize().
• Check that the normalized path starts with privateFolder.toPath().
• Only proceed with extraction if the check passes; otherwise, skip or throw.

This change should be made in the block handling .mp3 files (lines 85–101). No new methods are needed, but we should import java.nio.file.Path if not already available (in Kotlin, java.io.File.toPath() is available).

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}