Fix zip traversal vulnerability #66
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…the destination folder
…side the destination folder to remain inside the folder
Enhancing java doc
|
thanks for this contribution, i'm glad to see that people are looking into security aspects of jarchivelib. i have some concerns merging this into master because i'm still planning on releasing a major version that's compatible with java 6 to not break peoples code. i'll gladly merge it into the next major version where java 6 will be dropped (see #22) |
|
@thrau thanks! Glad to know that you were already planning on using java.nio. I'm curious, is there a rough estimate on when the next major release version might be (when java 6 will be dropped)? |
|
i can't give you one at the moment, but in principle i could start a new branch for 2.x and start deploying snapshots for you to use your code. |
|
Great. Thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There is a vulnerability where an attacker can create an archive with entries, when extracted, attempt to traverse up the file system then down to overwrite system files, giving the attacker the ability to perform malicious attacks.
This PR fixes this vulnerability by verifying that the file is being created inside the target/destination directory. If it is not, it is forced to be placed inside the directory. The added test cases show different scenarios of attempts to traverse outside the target directory.
I chose to solve the problem using java.nio which is supported starting java 7 hence the change in pom.xml
For more information about the vulnerability, please refer to this blog post https://blog.sonatype.com/making-sure-our-users-dont-zip-slip-and-fall