(lazy) Potential fix for code scanning alert no. 6: Arbitrary file access during archive extraction ("Zip Slip")

Skullians · github-advanced-security[bot] · web-flow · commit d9b1410af3a2 · 2025-01-26T15:06:58.000Z
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/common/src/main/java/com/loohp/multichatdiscordsrvaddon/resources/ResourceDownloadManager.java b/common/src/main/java/com/loohp/multichatdiscordsrvaddon/resources/ResourceDownloadManager.java
@@ -159,17 +159,17 @@ public void run() {
                     }
                     byte[] currentEntry = baos.toByteArray();
 
-                    File folder = new File(packFolder, name).getParentFile();
-                    File normalizedFolder = folder.toPath().normalize().toFile();
-                    if (!normalizedFolder.toPath().startsWith(packFolder.toPath())) {
+                    File file = new File(packFolder, name);
+                    File normalizedFile = file.toPath().normalize().toFile();
+                    if (!normalizedFile.toPath().startsWith(packFolder.toPath())) {
                         throw new IOException("Bad zip entry: " + name);
                     }
-                    normalizedFolder.mkdirs();
-                    File file = new File(normalizedFolder, fileName);
-                    if (file.exists()) {
-                        file.delete();
+                    File folder = normalizedFile.getParentFile();
+                    folder.mkdirs();
+                    if (normalizedFile.exists()) {
+                        normalizedFile.delete();
                     }
-                    FileUtils.copy(new ByteArrayInputStream(currentEntry), file);
+                    FileUtils.copy(new ByteArrayInputStream(currentEntry), normalizedFile);
                 }
             }
         } catch (Exception e) {

Original file line number	Diff line number	Diff line change
`@@ -159,17 +159,17 @@ public void run() {`
`159`	`159`	`}`
`160`	`160`	`byte[] currentEntry = baos.toByteArray();`
`161`	`161`
`162`		`- File folder = new File(packFolder, name).getParentFile();`
`163`		`- File normalizedFolder = folder.toPath().normalize().toFile();`
`164`		`- if (!normalizedFolder.toPath().startsWith(packFolder.toPath())) {`
	`162`	`+ File file = new File(packFolder, name);`
	`163`	`+ File normalizedFile = file.toPath().normalize().toFile();`
	`164`	`+ if (!normalizedFile.toPath().startsWith(packFolder.toPath())) {`
`165`	`165`	`throw new IOException("Bad zip entry: " + name);`
`166`	`166`	`}`
`167`		`- normalizedFolder.mkdirs();`
`168`		`- File file = new File(normalizedFolder, fileName);`
`169`		`- if (file.exists()) {`
`170`		`- file.delete();`
	`167`	`+ File folder = normalizedFile.getParentFile();`
	`168`	`+ folder.mkdirs();`
	`169`	`+ if (normalizedFile.exists()) {`
	`170`	`+ normalizedFile.delete();`
`171`	`171`	`}`
`172`		`- FileUtils.copy(new ByteArrayInputStream(currentEntry), file);`
	`172`	`+ FileUtils.copy(new ByteArrayInputStream(currentEntry), normalizedFile);`
`173`	`173`	`}`
`174`	`174`	`}`
`175`	`175`	`} catch (Exception e) {`