From 99a6fced127962ab1f1963cc1a56878ea2c44a38 Mon Sep 17 00:00:00 2001 From: Sylwester Lachiewicz Date: Sun, 19 Jun 2022 19:29:31 +0200 Subject: [PATCH] Validate zip file names before extracting (Zip Slip) --- .../compiler/csharp/CSharpCompiler.java | 2 +- .../plexus/compiler/csharp/JarUtil.java | 40 ++++++++++--------- 2 files changed, 23 insertions(+), 19 deletions(-) diff --git a/plexus-compilers/plexus-compiler-csharp/src/main/java/org/codehaus/plexus/compiler/csharp/CSharpCompiler.java b/plexus-compilers/plexus-compiler-csharp/src/main/java/org/codehaus/plexus/compiler/csharp/CSharpCompiler.java index 2ed86db2..5837ef9d 100644 --- a/plexus-compilers/plexus-compiler-csharp/src/main/java/org/codehaus/plexus/compiler/csharp/CSharpCompiler.java +++ b/plexus-compilers/plexus-compiler-csharp/src/main/java/org/codehaus/plexus/compiler/csharp/CSharpCompiler.java @@ -285,7 +285,7 @@ private String[] buildCompilerArguments( CompilerConfiguration config, String[] { dllDir.mkdir(); } - JarUtil.extract(dllDir, new File(element)); + JarUtil.extract(dllDir.toPath(), new File(element)); for (String tmpfile : dllDir.list()) { if ( tmpfile.endsWith(DLL_SUFFIX) ) diff --git a/plexus-compilers/plexus-compiler-csharp/src/main/java/org/codehaus/plexus/compiler/csharp/JarUtil.java b/plexus-compilers/plexus-compiler-csharp/src/main/java/org/codehaus/plexus/compiler/csharp/JarUtil.java index 5b897378..2d5689b7 100644 --- a/plexus-compilers/plexus-compiler-csharp/src/main/java/org/codehaus/plexus/compiler/csharp/JarUtil.java +++ b/plexus-compilers/plexus-compiler-csharp/src/main/java/org/codehaus/plexus/compiler/csharp/JarUtil.java @@ -1,31 +1,35 @@ package org.codehaus.plexus.compiler.csharp; import java.io.File; -import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; +import java.io.OutputStream; +import java.nio.file.Files; +import java.nio.file.Path; import java.util.Enumeration; import java.util.jar.JarEntry; import java.util.jar.JarFile; public class JarUtil { - public static void extract( File destDir, File jarFile ) throws IOException - { - JarFile jar = new JarFile( jarFile ); - Enumeration enumEntries = jar.entries(); - while ( enumEntries.hasMoreElements() ) { - JarEntry file = ( JarEntry ) enumEntries.nextElement(); - File f = new File( destDir + File.separator + file.getName() ); - if ( file.isDirectory() ) - { - f.mkdir(); - continue; - } - try ( InputStream is = jar.getInputStream( file ); FileOutputStream fos = new FileOutputStream( f ) ) - { - while ( is.available() > 0 ) - { - fos.write( is.read() ); + public static void extract(Path destDir, File jarFile) throws IOException { + Path toPath = destDir.normalize(); + try (JarFile jar = new JarFile(jarFile)) { + Enumeration enumEntries = jar.entries(); + while (enumEntries.hasMoreElements()) { + JarEntry file = enumEntries.nextElement(); + Path f = destDir.resolve(file.getName()); + if (!f.startsWith(toPath)) { + throw new IOException("Bad zip entry"); + } + if (file.isDirectory()) { + Files.createDirectories(f); + continue; + } + try (InputStream is = jar.getInputStream(file); + OutputStream fos = Files.newOutputStream(f)) { + while (is.available() > 0) { + fos.write(is.read()); + } } } }