-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add unzip util method #906
Conversation
6d2242a
to
2f22336
Compare
jib-core/src/main/java/com/google/cloud/tools/jib/zip/ZipUtil.java
Outdated
Show resolved
Hide resolved
jib-core/src/main/java/com/google/cloud/tools/jib/zip/ZipUtil.java
Outdated
Show resolved
Hide resolved
try (ZipInputStream zipIn = new ZipInputStream(Files.newInputStream(archive))) { | ||
|
||
for (ZipEntry entry = zipIn.getNextEntry(); entry != null; entry = zipIn.getNextEntry()) { | ||
Path entryPath = destination.resolve(entry.getName()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could entry.getName()
possibly refer to paths preceding destination
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's the Zip-Slip vulnerability I mentioned above. I can address that in a later PR.
jib-core/src/main/java/com/google/cloud/tools/jib/zip/ZipUtil.java
Outdated
Show resolved
Hide resolved
jib-core/src/main/java/com/google/cloud/tools/jib/zip/ZipUtil.java
Outdated
Show resolved
Hide resolved
|
||
for (ZipEntry entry = zipIn.getNextEntry(); entry != null; entry = zipIn.getNextEntry()) { | ||
// TODO: check Zip-Slip vulnerability: https://snyk.io/research/zip-slip-vulnerability#java | ||
Path entryPath = destination.resolve(entry.getName()); | ||
|
||
if (entry.isDirectory()) { | ||
Files.createDirectories(entryPath); | ||
} else { | ||
try (OutputStream out = Files.newOutputStream(entryPath)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And BufferedOutputStream
here too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at the code of ByteStreams.copy
, it does use a buffer in a very obvious way, so I'm inclined to leave the code simple. You could still argue that's an implementation detail of ByteStreams
though.
Zip-Slip fix merged into this PR. |
|
||
String canonicalTarget = entryPath.toFile().getCanonicalPath(); | ||
if (!canonicalTarget.startsWith(canonicalDestination + File.separator)) { | ||
throw new IOException("Blocked unzipping files outside destination: " + entry.getName()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we include the filename too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's printing entry.getName()
which is the file path in the zip. If this error happens, it would look like ../../../evil.attack
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I meant the zip name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops!
For use in #431.