(incubator-baremaps) branch main updated: Prevent zip slip and path injection (#875)

[bchapuis]

This is an automated email from the ASF dual-hosted git repository.

bchapuis pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-baremaps.git


The following commit(s) were added to refs/heads/main by this push:
     new 40352c07 Prevent zip slip and path injection (#875)
40352c07 is described below

commit 40352c07b91e26850fe47eb8f95b6dee6f2a11c0
Author: Bertil Chapuis <bchap...@gmail.com>
AuthorDate: Thu Jun 13 14:29:51 2024 +0200

    Prevent zip slip and path injection (#875)
---
 .../baremaps/workflow/tasks/DecompressFile.java    | 46 ++++++++++++----------
 1 file changed, 26 insertions(+), 20 deletions(-)

diff --git 
a/baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java
 
b/baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java
index 6fca8f46..87c48a85 100644
--- 
a/baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java
+++ 
b/baremaps-core/src/main/java/org/apache/baremaps/workflow/tasks/DecompressFile.java
@@ -159,17 +159,21 @@ public class DecompressFile implements Task {
     TarArchiveEntry entry;
     while ((entry = tarInputStream.getNextEntry()) != null) {
       var path = target.resolve(entry.getName());
-      if (entry.isDirectory()) {
-        Files.createDirectories(path);
-      } else {
-        Files.createDirectories(path.getParent());
-        Files.write(path, new byte[] {},
-            StandardOpenOption.CREATE,
-            StandardOpenOption.TRUNCATE_EXISTING);
-        try (BufferedOutputStream outputStream =
-            new BufferedOutputStream(Files.newOutputStream(path))) {
-          tarInputStream.transferTo(outputStream);
+      if 
(path.toFile().getCanonicalPath().startsWith(target.toFile().getCanonicalPath()))
 {
+        if (entry.isDirectory()) {
+          Files.createDirectories(path);
+        } else {
+          Files.createDirectories(path.getParent());
+          Files.write(path, new byte[] {},
+              StandardOpenOption.CREATE,
+              StandardOpenOption.TRUNCATE_EXISTING);
+          try (BufferedOutputStream outputStream =
+              new BufferedOutputStream(Files.newOutputStream(path))) {
+            tarInputStream.transferTo(outputStream);
+          }
         }
+      } else {
+        throw new IOException("Entry is outside of the target directory");
       }
     }
   }
@@ -189,16 +193,18 @@ public class DecompressFile implements Task {
       while (entries.hasMoreElements()) {
         var entry = entries.nextElement();
         var path = target.resolve(entry.getName());
-        if (entry.isDirectory()) {
-          Files.createDirectories(path);
-        } else {
-          Files.createDirectories(path.getParent());
-          Files.write(path, new byte[] {},
-              StandardOpenOption.CREATE,
-              StandardOpenOption.TRUNCATE_EXISTING);
-          try (var input = new 
BufferedInputStream(zipFile.getInputStream(entry));
-              var output = new BufferedOutputStream(new 
FileOutputStream(path.toFile()))) {
-            input.transferTo(output);
+        if 
(path.toFile().getCanonicalPath().startsWith(target.toFile().getCanonicalPath()))
 {
+          if (entry.isDirectory()) {
+            Files.createDirectories(path);
+          } else {
+            Files.createDirectories(path.getParent());
+            Files.write(path, new byte[] {},
+                StandardOpenOption.CREATE,
+                StandardOpenOption.TRUNCATE_EXISTING);
+            try (var input = new 
BufferedInputStream(zipFile.getInputStream(entry));
+                var output = new BufferedOutputStream(new 
FileOutputStream(path.toFile()))) {
+              input.transferTo(output);
+            }
           }
         }
       }