docs(examples): Fix code scanning alert no. 228: Uncontrolled data used in path expression (#534)

* docs(example): Potential fix for code scanning alert no. 228: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com>

* Fix variable-shadowing alert

Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com>

* Apply suggestion from @gemini-code-assist[bot]

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com>

---------

Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Author: 3 people

examples/write-large-file.rs

@@ -12,15 +12,25 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
     #[cfg(feature = "_deflate-any")]
     {
         let filename = &*args[1];
-        // Ensure that the filename has no path separators or parent directory references
-        if filename.contains("..") || filename.contains('/') || filename.contains('\\') {
-            return Err("Invalid filename: path separators or '..' are not allowed".into());
+        // Ensure that the filename is non-empty and has no path separators or parent directory references.
+        // WARNING: This check is not sufficient to prevent TOCTOU (Time-of-check to time-of-use)
+        // race conditions. An attacker could create a symbolic link with a "safe" name that
+        // points to a sensitive file. When `File::create` is called, it will follow the
+        // symlink and may overwrite the target file. This is example code and is not
+        // intended for use in production.
+        let trimmed_filename = filename.trim();
+        if trimmed_filename.is_empty()
+            || trimmed_filename.contains("..")
+            || trimmed_filename.contains('/')
+            || trimmed_filename.contains('\\')
+        {
+            return Err("Invalid filename: must be a non-empty simple file name without path separators or '..'".into());
         }
         use std::io::Write;
 
         use zip::write::SimpleFileOptions;
 
-        let file = std::fs::File::create(filename)?;
+        let file = std::fs::File::create(trimmed_filename)?;
         let mut zip = zip::ZipWriter::new(file);
 
         let options = SimpleFileOptions::default()