Skip to content

Commit

Permalink
Prevent "Zip Slip" (#497)
Browse files Browse the repository at this point in the history 
See
- Snyk: Zip Slip Vulnerability https://snyk.io/research/zip-slip-vulnerability
- OWASP: Path Traversal https://owasp.org/www-community/attacks/Path_Traversal
- Common Weakness Enumeration https://cwe.mitre.org/data/definitions/22.html.

Closes #496
  • Loading branch information
@gesellix
gesellix authored Jul 28, 2024
1 parent d3c0bcc commit 9ff7440
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions api-client/src/test/java/de/gesellix/docker/remote/api/testutil/TarUtil.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import okio.BufferedSink;
import okio.Okio;
import okio.Sink;

import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
Expand All @@ -27,6 +28,9 @@ public File unTar(InputStream tar) throws IOException {
TarArchiveEntry tarEntry;
while ((tarEntry = tis.getNextEntry()) != null) {
File outputFile = new File(destDir, tarEntry.getName());
if (!outputFile.toPath().normalize().startsWith(destDir.toPath())) {
throw new RuntimeException("Bad zip entry");
}
if (tarEntry.isDirectory()) {
if (!outputFile.exists()) {
outputFile.mkdirs();
Expand Down

0 comments on commit 9ff7440

Please sign in to comment.