From 0c9f1e9d69a08ed35648eb85dae01d2592b72403 Mon Sep 17 00:00:00 2001
From: Odinn <odinn@Odinns-MacBook-Pro.local>
Date: Sun, 6 May 2018 01:16:55 +0300
Subject: [PATCH 2/2] fix: fail when trying to extract outside of dest dir
A well crafted zip file may cause the code to extract outside of the destination dir.
This PR fails when that happens so that no unexpected behaviour happens.
---
.../plexus/archiver/AbstractUnArchiver.java | 9 ++++++++
.../plexus/archiver/zip/ZipUnArchiverTest.java | 24 +++++++++++++++++++++
src/test/zips/zip-slip.zip | Bin 0 -> 545 bytes
3 files changed, 33 insertions(+)
create mode 100644 src/test/zips/zip-slip.zip
diff --git a/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java b/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java
index bd462d9..9675880 100644
--- a/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java
+++ b/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java
@@ -308,6 +308,15 @@ protected void extractFile( final File srcF, final File dir, final InputStream c
// Hmm. Symlinks re-evaluate back to the original file here. Unsure if this is a good thing...
final File f = FileUtils.resolveFile( dir, entryName );
+ // Make sure that the resolved path of the extracted file doesn't escape the destination directory
+ String canonicalDirPath = dir.getCanonicalPath();
+ String canonicalDestPath = f.getCanonicalPath();
+
+ if ( !canonicalDestPath.startsWith( canonicalDirPath ) )
+ {
+ throw new ArchiverException( "Entry is outside of the target directory (" + entryName + ")" );
+ }
+
try
{
if ( !isOverwrite() && f.exists() && ( f.lastModified() >= entryDate.getTime() ) )
diff --git a/src/test/java/org/codehaus/plexus/archiver/zip/ZipUnArchiverTest.java b/src/test/java/org/codehaus/plexus/archiver/zip/ZipUnArchiverTest.java
index 1f72a61..ea46a5a 100644
--- a/src/test/java/org/codehaus/plexus/archiver/zip/ZipUnArchiverTest.java
+++ b/src/test/java/org/codehaus/plexus/archiver/zip/ZipUnArchiverTest.java
@@ -190,6 +190,30 @@ public void testSelectors()
} );
}
+ public void testExtractingZipWithEntryOutsideDestDirThrowsException()
+ throws Exception
+ {
+ Exception ex = null;
+ String s = "target/zip-unarchiver-slip-tests";
+ File testZip = new File( getBasedir(), "src/test/zips/zip-slip.zip" );
+ File outputDirectory = new File( getBasedir(), s );
+
+ FileUtils.deleteDirectory( outputDirectory );
+
+ try
+ {
+ ZipUnArchiver zu = getZipUnArchiver( testZip );
+ zu.extract( "", outputDirectory );
+ }
+ catch ( Exception e )
+ {
+ ex = e;
+ }
+
+ assertNotNull( ex );
+ assertTrue( ex.getMessage().startsWith( "Entry is outside of the target directory" ) );
+ }
+
private ZipArchiver getZipArchiver()
{
try
diff --git a/src/test/zips/zip-slip.zip b/src/test/zips/zip-slip.zip
new file mode 100644
index 0000000..38b3f49
--- /dev/null
+++ b/src/test/zips/zip-slip.zip
@@ -0,0 +1,5 @@
+PK
+
distrib
>
Mageia
>
6
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
429c8b0c157f21c4e3724db85a597989
>
files
>
1
