sahvx655-wq created FELIX-6836:
----------------------------------
Summary: Mitigate Zip Slip / Path Traversal (CWE-22) Vulnerability
in Archive Extraction and Cache Handlers
Key: FELIX-6836
URL: https://issues.apache.org/jira/browse/FELIX-6836
Project: Felix
Issue Type: Bug
Components: Bundle Repository (OBR), Framework
Reporter: sahvx655-wq
Several components within Apache Felix (specifically bundlerepository,
gogo.command, and the framework cache) extract or lookup entries from ZIP/JAR
archives without fully validating that the paths do not escape the target
destination directory. This exposes the system to path traversal / Zip Slip
vulnerabilities (CWE-22) if a malicious archive containing traversal sequences
(e.g., "../../evil.txt") is processed.
To mitigate this, the following changes have been implemented:
1. Added validation in bundlerepository's FileUtil and ObrGogoCommand to ensure
that extracted JAR entries resolve within the target extraction directory.
2. Added validation in gogo.command's Util.unjar to prevent writing files
outside the destination directory.
3. Updated cache Content handlers (DirectoryContent, JarContent, and
ConnectContentContent) in framework to normalize paths and reject directory
traversal entries.
4. Added regression unit tests (FileUtilTest, UtilTest, and BundleCacheTest) to
verify that traversal entries are rejected correctly.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
