Add filename check for unTar (#4222)

* add filename check for unTar

* update code

tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/DockerUtils.java

@@ -135,7 +135,11 @@ public static void dumpContainerLogDirToTarget(DockerClient docker, String conta
             TarArchiveEntry entry = stream.getNextTarEntry();
             while (entry != null) {
                 if (entry.isFile()) {
-                    File output = new File(getTargetDirectory(containerId), entry.getName().replace("/", "-"));
+                    File targetDir = getTargetDirectory(containerId);
+                    File output = new File(targetDir, entry.getName().replace("/", "-"));
+                    if (!output.toPath().normalize().startsWith(targetDir.toPath())) {
+                        throw new IOException("Bad zip entry");
+                    }
                     try (FileOutputStream os = new FileOutputStream(output)) {
                         byte[] block = new byte[readBlockSize];
                         int read = stream.read(block, 0, readBlockSize);

tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java

@@ -367,6 +367,10 @@ private static void unTar(final File inputFile, final File outputDir) throws Exc
             TarArchiveEntry entry;
             while ((entry = (TarArchiveEntry) debInputStream.getNextEntry()) != null) {
                 final File outputFile = new File(outputDir, entry.getName());
+                if (!outputFile.toPath().normalize().startsWith(outputDir.toPath())) {
+                    throw new IOException("Bad zip entry");
+                }
+
                 if (!outputFile.getParentFile().exists()) {
                     outputFile.getParentFile().mkdirs();
                 }