From 35bf420cf3db3a23e287c342b6b310172610f8a9 Mon Sep 17 00:00:00 2001
From: David Fadida <fadidadavid4@gmail.com>
Date: Sat, 16 Sep 2023 00:22:07 +0300
Subject: [PATCH] Fix - Add zip slip validation (#866)

* Fix var names

* Fix - Add fix after rebase

* Fix - Add zip slip validation

* Fix - Add zip slip validation

* Fix - Add zip slip validation

---------

Co-authored-by: David Fadida <davidf@jfrog.com>
---
 .../src/main/scala/ml/combust/bundle/util/FileUtil.scala   | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/bundle-ml/src/main/scala/ml/combust/bundle/util/FileUtil.scala b/bundle-ml/src/main/scala/ml/combust/bundle/util/FileUtil.scala
index 1cfb2ab14..86732131c 100644
--- a/bundle-ml/src/main/scala/ml/combust/bundle/util/FileUtil.scala
+++ b/bundle-ml/src/main/scala/ml/combust/bundle/util/FileUtil.scala
@@ -2,7 +2,7 @@ package ml.combust.bundle.util
 
 import java.io.{IOException, InputStream, OutputStream}
 import java.nio.file.attribute.BasicFileAttributes
-import java.nio.file.{FileVisitResult, Files, Path, SimpleFileVisitor}
+import java.nio.file.{FileVisitResult, Files, FileSystems, Path, SimpleFileVisitor}
 import java.util.Comparator
 import java.util.stream.Collectors
 import java.util.zip.{ZipEntry, ZipInputStream, ZipOutputStream}
@@ -70,6 +70,11 @@ object FileUtil {
       if (entry.isDirectory) {
         Files.createDirectories(filePath)
       } else {
+        val destCanonical = dest.toRealPath()
+        val entryCanonical = filePath.toAbsolutePath().normalize()
+        if (!entryCanonical.startsWith(destCanonical + FileSystems.getDefault().getSeparator())) {
+          throw new Exception("Entry is outside of the target dir: " + entry.getName)
+        }
         Using(Files.newOutputStream(filePath)) {
           out => writeData(in, out)
         }