Improve Zip Slip detection

Konloch · Jan 7, 2022 · 1ec0265 · 1ec0265
1 parent c968e94
commit 1ec0265
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/main/java/the/bytecode/club/bytecodeviewer/util/ZipUtils.java b/src/main/java/the/bytecode/club/bytecodeviewer/util/ZipUtils.java
@@ -44,6 +44,11 @@ public final class ZipUtils {
      * @throws IOException Signals that an I/O exception has occurred.
      */
     public static void unzipFilesToPath(String jarPath, String destinationDir) throws IOException {
+        String canonicalDestDir = new File(destinationDir).getCanonicalPath();
+        if (!canonicalDestDir.endsWith(File.separator)) {
+            canonicalDestDir += File.separator;
+        }
+
         File file = new File(jarPath);
         try (JarFile jar = new JarFile(file)) {
 
@@ -68,7 +73,7 @@ public static void unzipFilesToPath(String jarPath, String destinationDir) throw
                 String fileName = destinationDir + File.separator + entry.getName();
                 File f = new File(fileName);
 
-                if (!f.getCanonicalPath().startsWith(destinationDir)) {
+                if (!f.getCanonicalPath().startsWith(canonicalDestDir)) {
                     System.out.println("Zip Slip exploit detected. Skipping entry " + entry.getName());
                     continue;
                 }