Merge pull request #149 from BulkSecurityGeneratorProjectV2/fix/JLL/z…

…ip-slip-vulnerability [SECURITY] Fix Zip Slip Vulnerability
zeroturnaround · Sep 11, 2022 · 6949358 · 6949358
2 parents 9b08188 + 627bbc9
commit 6949358
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/src/main/java/org/zeroturnaround/zip/ZipUtil.java b/src/main/java/org/zeroturnaround/zip/ZipUtil.java
@@ -1140,7 +1140,7 @@ private static File checkDestinationFileForTraversal(File outputDir, String name
      * that the outputdir + name doesn't leave the outputdir. See
      * DirectoryTraversalMaliciousTest for details.
      */
-    if (name.indexOf("..") != -1 && !destFile.getCanonicalPath().startsWith(outputDir.getCanonicalPath())) {
+    if (name.indexOf("..") != -1 && !destFile.getCanonicalFile().toPath().startsWith(outputDir.getCanonicalFile().toPath())) {
       throw new MaliciousZipException(outputDir, name);
     }
     return destFile;

diff --git a/src/test/java/example/UnpackExample.java b/src/test/java/example/UnpackExample.java
@@ -26,7 +26,11 @@ public static void usual() throws IOException {
         OutputStream out = null; 
         try {
           in = zf.getInputStream(e);
-          out = new FileOutputStream(new File("demo", e.getName()));
+          final File zipEntryFile = new File("demo", e.getName());
+          if (!zipEntryFile.toPath().normalize().startsWith("demo")) {
+            throw new IOException("Bad zip entry");
+          }
+          out = new FileOutputStream(zipEntryFile);
           IOUtils.copy(in, out);
         }
         finally {