(bookkeeper) branch master updated: Add filename check for unTar (#4222)

Sun, 03 Mar 2024 20:07:59 -0800 

This is an automated email from the ASF dual-hosted git repository.

mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git


The following commit(s) were added to refs/heads/master by this push:
     new 48b7d1ebb1 Add filename check for unTar (#4222)
48b7d1ebb1 is described below

commit 48b7d1ebb1138074356da9790fb20f3219c887a4
Author: Hang Chen <[email protected]>
AuthorDate: Mon Mar 4 12:07:49 2024 +0800

    Add filename check for unTar (#4222)
    
    * add filename check for unTar
    
    * update code
---
 .../org/apache/bookkeeper/tests/integration/utils/DockerUtils.java  | 6 +++++-
 .../apache/bookkeeper/tests/integration/utils/MavenClassLoader.java | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git 
a/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/DockerUtils.java
 
b/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/DockerUtils.java
index bae9057fa1..a3b8778946 100644
--- 
a/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/DockerUtils.java
+++ 
b/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/DockerUtils.java
@@ -135,7 +135,11 @@ public class DockerUtils {
             TarArchiveEntry entry = stream.getNextTarEntry();
             while (entry != null) {
                 if (entry.isFile()) {
-                    File output = new File(getTargetDirectory(containerId), 
entry.getName().replace("/", "-"));
+                    File targetDir = getTargetDirectory(containerId);
+                    File output = new File(targetDir, 
entry.getName().replace("/", "-"));
+                    if 
(!output.toPath().normalize().startsWith(targetDir.toPath())) {
+                        throw new IOException("Bad zip entry");
+                    }
                     try (FileOutputStream os = new FileOutputStream(output)) {
                         byte[] block = new byte[readBlockSize];
                         int read = stream.read(block, 0, readBlockSize);
diff --git 
a/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java
 
b/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java
index 2b1fabf6be..d77c3920ac 100644
--- 
a/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java
+++ 
b/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java
@@ -367,6 +367,10 @@ public class MavenClassLoader implements AutoCloseable {
             TarArchiveEntry entry;
             while ((entry = (TarArchiveEntry) debInputStream.getNextEntry()) 
!= null) {
                 final File outputFile = new File(outputDir, entry.getName());
+                if 
(!outputFile.toPath().normalize().startsWith(outputDir.toPath())) {
+                    throw new IOException("Bad zip entry");
+                }
+
                 if (!outputFile.getParentFile().exists()) {
                     outputFile.getParentFile().mkdirs();
                 }

Reply via email to