This is an automated email from the ASF dual-hosted git repository. bchapuis pushed a commit to branch sonar in repository https://gitbox.apache.org/repos/asf/incubator-baremaps.git
commit 03414eb5ef46bdbabb4aa32edb54222c8abcacdc Author: Bertil Chapuis <[email protected]> AuthorDate: Thu Jun 13 14:28:35 2024 +0200 Prevent zip slip and path injection --- .../baremaps/workflow/tasks/DecompressFile.java | 46 ++++++++++++---------- 1 file changed, 26 insertions(+), 20 deletions(-) diff --git a/baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java b/baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java index 6fca8f46..87c48a85 100644 --- a/baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java +++ b/baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java @@ -159,17 +159,21 @@ public class DecompressFile implements Task { TarArchiveEntry entry; while ((entry = tarInputStream.getNextEntry()) != null) { var path = target.resolve(entry.getName()); - if (entry.isDirectory()) { - Files.createDirectories(path); - } else { - Files.createDirectories(path.getParent()); - Files.write(path, new byte[] {}, - StandardOpenOption.CREATE, - StandardOpenOption.TRUNCATE_EXISTING); - try (BufferedOutputStream outputStream = - new BufferedOutputStream(Files.newOutputStream(path))) { - tarInputStream.transferTo(outputStream); + if (path.toFile().getCanonicalPath().startsWith(target.toFile().getCanonicalPath())) { + if (entry.isDirectory()) { + Files.createDirectories(path); + } else { + Files.createDirectories(path.getParent()); + Files.write(path, new byte[] {}, + StandardOpenOption.CREATE, + StandardOpenOption.TRUNCATE_EXISTING); + try (BufferedOutputStream outputStream = + new BufferedOutputStream(Files.newOutputStream(path))) { + tarInputStream.transferTo(outputStream); + } } + } else { + throw new IOException("Entry is outside of the target directory"); } } } @@ -189,16 +193,18 @@ public class DecompressFile implements Task { while (entries.hasMoreElements()) { var entry = entries.nextElement(); var path = target.resolve(entry.getName()); - if (entry.isDirectory()) { - Files.createDirectories(path); - } else { - Files.createDirectories(path.getParent()); - Files.write(path, new byte[] {}, - StandardOpenOption.CREATE, - StandardOpenOption.TRUNCATE_EXISTING); - try (var input = new BufferedInputStream(zipFile.getInputStream(entry)); - var output = new BufferedOutputStream(new FileOutputStream(path.toFile()))) { - input.transferTo(output); + if (path.toFile().getCanonicalPath().startsWith(target.toFile().getCanonicalPath())) { + if (entry.isDirectory()) { + Files.createDirectories(path); + } else { + Files.createDirectories(path.getParent()); + Files.write(path, new byte[] {}, + StandardOpenOption.CREATE, + StandardOpenOption.TRUNCATE_EXISTING); + try (var input = new BufferedInputStream(zipFile.getInputStream(entry)); + var output = new BufferedOutputStream(new FileOutputStream(path.toFile()))) { + input.transferTo(output); + } } } }
