Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add unzip util method #906

Merged
merged 4 commits into from
Aug 30, 2018
Merged

Add unzip util method #906

merged 4 commits into from
Aug 30, 2018

Conversation

chanseokoh
Copy link
Member

For use in #431.

coollog
coollog reviewed Aug 30, 2018
View reviewed changes
jib-core/src/main/java/com/google/cloud/tools/jib/zip/ZipUtil.java Outdated Show resolved Hide resolved
jib-core/src/main/java/com/google/cloud/tools/jib/zip/ZipUtil.java Outdated Show resolved Hide resolved
jib-core/src/main/java/com/google/cloud/tools/jib/zip/ZipUtil.java Outdated
try (ZipInputStream zipIn = new ZipInputStream(Files.newInputStream(archive))) {

for (ZipEntry entry = zipIn.getNextEntry(); entry != null; entry = zipIn.getNextEntry()) {
Path entryPath = destination.resolve(entry.getName());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could entry.getName() possibly refer to paths preceding destination?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's the Zip-Slip vulnerability I mentioned above. I can address that in a later PR.

jib-core/src/main/java/com/google/cloud/tools/jib/zip/ZipUtil.java Outdated Show resolved Hide resolved
jib-core/src/main/java/com/google/cloud/tools/jib/zip/ZipUtil.java Outdated Show resolved Hide resolved
@chanseokoh chanseokoh mentioned this pull request Aug 30, 2018
Merged
coollog
coollog reviewed Aug 30, 2018
View reviewed changes
jib-plugins-common/src/main/java/com/google/cloud/tools/jib/plugins/common/ZipUtil.java Outdated

for (ZipEntry entry = zipIn.getNextEntry(); entry != null; entry = zipIn.getNextEntry()) {
// TODO: check Zip-Slip vulnerability: https://snyk.io/research/zip-slip-vulnerability#java
Path entryPath = destination.resolve(entry.getName());

if (entry.isDirectory()) {
Files.createDirectories(entryPath);
} else {
try (OutputStream out = Files.newOutputStream(entryPath)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And BufferedOutputStream here too?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the code of ByteStreams.copy, it does use a buffer in a very obvious way, so I'm inclined to leave the code simple. You could still argue that's an implementation detail of ByteStreams though.

@chanseokoh
Copy link
Member Author

Zip-Slip fix merged into this PR.

briandealwis
briandealwis approved these changes Aug 30, 2018
View reviewed changes
jib-plugins-common/src/main/java/com/google/cloud/tools/jib/plugins/common/ZipUtil.java

String canonicalTarget = entryPath.toFile().getCanonicalPath();
if (!canonicalTarget.startsWith(canonicalDestination + File.separator)) {
throw new IOException("Blocked unzipping files outside destination: " + entry.getName());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we include the filename too?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's printing entry.getName() which is the file path in the zip. If this error happens, it would look like ../../../evil.attack.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant the zip name

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops!

@chanseokoh chanseokoh merged commit 223c031 into master Aug 30, 2018
@chanseokoh chanseokoh deleted the i431-add-ZipUtil branch August 30, 2018 20:28
@chanseokoh chanseokoh mentioned this pull request Aug 30, 2018
Merged
@chanseokoh chanseokoh mentioned this pull request Sep 19, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briandealwis briandealwis briandealwis approved these changes

@coollog coollog coollog left review comments

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@chanseokoh @briandealwis @coollog @googlebot