imbajin commented on code in PR #2918:
URL:
https://github.com/apache/incubator-hugegraph/pull/2918#discussion_r2629504434
##########
hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/util/CompressUtil.java:
##########
@@ -160,15 +160,26 @@ public static void decompressTar(String sourceFile,
String outputDir,
private static Path zipSlipProtect(ArchiveEntry entry, Path targetDir)
throws IOException {
- Path targetDirResolved = targetDir.resolve(entry.getName());
+ return zipSlipProtect(entry.getName(), targetDir);
+ }
+
+ private static Path zipSlipProtect(ZipEntry entry, Path targetDir)
+ throws IOException {
+ return zipSlipProtect(entry.getName(), targetDir);
+ }
+
+ private static Path zipSlipProtect(String entryName, Path targetDir)
+ throws IOException {
Review Comment:
**⚠️ Important: Zip slip protection can be simplified**
Good addition of zip slip protection, but the implementation has some
redundancy:
1. Both `ArchiveEntry` and `ZipEntry` overloads now delegate to the same
`String` version
2. The `decompressZip` method uses the protected path correctly
**Suggestion for better consistency:**
Ensure `outputDir` is normalized at the start of `decompressZip` to use the
same base path for all operations. This prevents potential issues if
`outputDir` itself contains path traversal characters.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
