Fix - Add zip slip validation (#866)

* Fix var names * Fix - Add fix after rebase * Fix - Add zip slip validation * Fix - Add zip slip validation * Fix - Add zip slip validation --------- Co-authored-by: David Fadida <[email protected]>
combust · Sep 15, 2023 · 35bf420 · 35bf420
1 parent 102e401
commit 35bf420
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/bundle-ml/src/main/scala/ml/combust/bundle/util/FileUtil.scala b/bundle-ml/src/main/scala/ml/combust/bundle/util/FileUtil.scala
@@ -2,7 +2,7 @@ package ml.combust.bundle.util
 
 import java.io.{IOException, InputStream, OutputStream}
 import java.nio.file.attribute.BasicFileAttributes
-import java.nio.file.{FileVisitResult, Files, Path, SimpleFileVisitor}
+import java.nio.file.{FileVisitResult, Files, FileSystems, Path, SimpleFileVisitor}
 import java.util.Comparator
 import java.util.stream.Collectors
 import java.util.zip.{ZipEntry, ZipInputStream, ZipOutputStream}
@@ -70,6 +70,11 @@ object FileUtil {
       if (entry.isDirectory) {
         Files.createDirectories(filePath)
       } else {
+        val destCanonical = dest.toRealPath()
+        val entryCanonical = filePath.toAbsolutePath().normalize()
+        if (!entryCanonical.startsWith(destCanonical + FileSystems.getDefault().getSeparator())) {
+          throw new Exception("Entry is outside of the target dir: " + entry.getName)
+        }
         Using(Files.newOutputStream(filePath)) {
           out => writeData(in, out)
         }