AWS Toolkit for Eclipse: v201805311643 Release.

CHANGELOG.json

@@ -1,6 +1,7 @@
 {
   "current": [
-    "* **Update Error Report dialog to include the Github issue link.**"
+    "* **Update Error Report dialog to include the Github issue link.**",
+    "* **Fix possible file-system security vulnerability in OpsWorks [ZipUtils](https://github.com/aws/aws-toolkit-eclipse/blob/36e996685b07ea16a4c073245cf52291453ddedb/bundles/com.amazonaws.eclipse.opsworks/src/com/amazonaws/eclipse/opsworks/deploy/util/ZipUtils.java#L58).**"
   ],
   "v201801042359": [
     "* **Merge Pull Request #93.**",

bundles/com.amazonaws.eclipse.opsworks/src/com/amazonaws/eclipse/opsworks/deploy/util/ZipUtils.java

@@ -56,7 +56,10 @@ public static void unzipFileToDirectory(File zipFile, File targetDirectory) thro
 
             String entryFileName = zipEntry.getName();
             File newFile = new File(targetDirectory, entryFileName);
-
+            if (!newFile.getCanonicalPath().startsWith(targetDirectory.getCanonicalPath())) {
+            	throw new RuntimeException(newFile.getAbsolutePath() + " is outside of targetDirectory: " + targetDirectory.getAbsolutePath());
+            }
+
             if (zipEntry.isDirectory()) {
                 if ( !newFile.exists() ) {
                     newFile.mkdirs();

tests/com.amazonaws.eclipse.opsworks.tests/.project

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>com.amazonaws.eclipse.opsworks.tests</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.jdt.core.javabuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.pde.ManifestBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.pde.SchemaBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.m2e.core.maven2Builder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.m2e.core.maven2Nature</nature>
+		<nature>org.eclipse.pde.PluginNature</nature>
+		<nature>org.eclipse.jdt.core.javanature</nature>
+	</natures>
+</projectDescription>

tests/com.amazonaws.eclipse.opsworks.tests/META-INF/MANIFEST.MF

@@ -0,0 +1,9 @@
+Manifest-Version: 1.0
+Bundle-ManifestVersion: 2
+Bundle-Name: AWS OpsWorks Plugin Tests
+Bundle-SymbolicName: com.amazonaws.eclipse.opsworks.tests
+Bundle-Version: 1.0.0.qualifier
+Bundle-Vendor: AMAZONAWS
+Fragment-Host: com.amazonaws.eclipse.opsworks;bundle-version="1.0.0"
+Bundle-RequiredExecutionEnvironment: JavaSE-1.7
+Require-Bundle: org.junit;bundle-version="4.11.0"

tests/com.amazonaws.eclipse.opsworks.tests/build.properties

@@ -0,0 +1,6 @@
+source.. = src/
+output.. = bin/
+bin.includes = META-INF/,\
+               .
+src.includes = src/,\
+               META-INF/

tests/com.amazonaws.eclipse.opsworks.tests/pom.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>com.amazonaws.eclipse.opsworks.tests</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+    <packaging>eclipse-test-plugin</packaging>
+
+    <parent>
+        <groupId>com.amazonaws.eclipse</groupId>
+        <artifactId>com.amazonaws.eclipse.tests</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+</project>

tests/com.amazonaws.eclipse.opsworks.tests/src/com/amazonaws/eclipse/opsworks/deploy/util/ZipUtilsTest.java

@@ -0,0 +1,76 @@
+package com.amazonaws.eclipse.opsworks.deploy.util;
+
+import static org.junit.Assert.assertEquals;
+import static com.amazonaws.eclipse.opsworks.deploy.util.ZipUtils.unzipFileToDirectory;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipOutputStream;
+import org.apache.commons.io.IOUtils;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+public class ZipUtilsTest {
+
+    @Rule
+    public TemporaryFolder folder = new TemporaryFolder();
+
+    @Test
+    public void canUnpackAZipFileToDirectory() throws IOException {
+        File zipFile = folder.newFile("file.zip");
+        File target = folder.newFolder("target");
+        ZipOutputStream zipOutputStream = new ZipOutputStream(new FileOutputStream(zipFile));
+
+        writeEntry(zipOutputStream, "foo/bar.txt", "hello foo-bar!");
+        writeEntry(zipOutputStream, "baz.txt", "hello baz!");
+        writeEntry(zipOutputStream, "foo/../root.txt", "hello root!");
+
+        zipOutputStream.close();
+
+        unzipFileToDirectory(zipFile, target);
+
+        Map<String, String> actual = Files.walk(target.toPath()).filter(p -> p.toFile().isFile()).collect(Collectors.toMap(p -> target.toPath().relativize(p).toString(), this::content));
+        assertEquals("hello foo-bar!", actual.get("foo/bar.txt"));
+        assertEquals("hello baz!", actual.get("baz.txt"));
+        assertEquals("hello root!", actual.get("root.txt"));
+    }
+
+    @Test(expected = RuntimeException.class)
+    public void exceptionThrownIfRelativeFileAttemptsToLeaveParentDirectory() throws IOException {
+        File zipFile = folder.newFile("file.zip");
+        File target = folder.newFolder("target");
+        ZipOutputStream zipOutputStream = new ZipOutputStream(new FileOutputStream(zipFile));
+
+        writeEntry(zipOutputStream, "foo/bar.txt", "hello foo-bar!");
+        writeEntry(zipOutputStream, "../baz.txt", "hello baz!");
+
+        zipOutputStream.close();
+
+        unzipFileToDirectory(zipFile, target);
+    }
+
+    private void writeEntry(ZipOutputStream zipOutputStream, String name, String content) throws IOException {
+        zipOutputStream.putNextEntry(new ZipEntry(name));
+        IOUtils.copy(new ByteArrayInputStream(content.getBytes(StandardCharsets.UTF_8)), zipOutputStream);
+        zipOutputStream.closeEntry();
+    }
+
+    private String content(Path p) {
+        try {
+            return IOUtils.toString(new FileInputStream(p.toFile()));
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+}

tests/pom.xml

@@ -16,6 +16,7 @@
     <module>com.amazonaws.eclipse.elasticbeanstalk.tests</module>
     <module>com.amazonaws.eclipse.lambda.tests</module>
     <module>com.amazonaws.eclipse.simpledb.tests</module>
+    <module>com.amazonaws.eclipse.opsworks.tests</module>
   </modules>
 
   <build>