From 7e30f019e037b29296be60a3fb17baef00a9e0e4 Mon Sep 17 00:00:00 2001
From: OMGSoundboard <marvin@omgsoundboard.audio>
Date: Mon, 27 Apr 2026 13:19:26 +0200
Subject: [PATCH 1/2] Potential fix for code scanning alert no. 1: Arbitrary
 file access during archive extraction ("Zip Slip")

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../audio/omgsoundboard/core/data/StorageRepositoryImpl.kt   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/core/src/main/java/audio/omgsoundboard/core/data/StorageRepositoryImpl.kt b/core/src/main/java/audio/omgsoundboard/core/data/StorageRepositoryImpl.kt
index b74f6f7..dd8dae2 100644
--- a/core/src/main/java/audio/omgsoundboard/core/data/StorageRepositoryImpl.kt
+++ b/core/src/main/java/audio/omgsoundboard/core/data/StorageRepositoryImpl.kt
@@ -84,6 +84,11 @@ class StorageRepositoryImpl @Inject constructor(
 
                         entry.name.endsWith(".mp3") -> {
                             val extractedFile = File(privateFolder, entry.name)
+                            val normalizedPath = extractedFile.toPath().normalize()
+                            val targetDirPath = privateFolder.toPath().normalize()
+                            if (!normalizedPath.startsWith(targetDirPath)) {
+                                throw Exception("Bad zip entry: ${entry.name}")
+                            }
                             FileOutputStream(extractedFile).use { output ->
                                 zipIn.copyTo(output)
                             }

From 3cb66b16f5521642ff1b3e8872548946d815ef2e Mon Sep 17 00:00:00 2001
From: OMGSoundboard <marvin@omgsoundboard.audio>
Date: Mon, 27 Apr 2026 13:35:53 +0200
Subject: [PATCH 2/2] Specify Exception

---
 .../audio/omgsoundboard/core/data/StorageRepositoryImpl.kt    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/src/main/java/audio/omgsoundboard/core/data/StorageRepositoryImpl.kt b/core/src/main/java/audio/omgsoundboard/core/data/StorageRepositoryImpl.kt
index dd8dae2..66998a9 100644
--- a/core/src/main/java/audio/omgsoundboard/core/data/StorageRepositoryImpl.kt
+++ b/core/src/main/java/audio/omgsoundboard/core/data/StorageRepositoryImpl.kt
@@ -87,7 +87,7 @@ class StorageRepositoryImpl @Inject constructor(
                             val normalizedPath = extractedFile.toPath().normalize()
                             val targetDirPath = privateFolder.toPath().normalize()
                             if (!normalizedPath.startsWith(targetDirPath)) {
-                                throw Exception("Bad zip entry: ${entry.name}")
+                                throw IllegalArgumentException("Bad zip entry: ${entry.name}")
                             }
                             FileOutputStream(extractedFile).use { output ->
                                 zipIn.copyTo(output)
@@ -209,4 +209,4 @@ class StorageRepositoryImpl @Inject constructor(
         }
         soundsDao.insertSounds(restoredSounds)
     }
-}
\ No newline at end of file
+}