Skip to content

Commit

Permalink
Merge pull request #87 from odinn1984/fix/fail_on_outside_target_files
Browse files Browse the repository at this point in the history
fix: fail when trying to extract outside of dest dir
  • Loading branch information
khmarbaise authored May 6, 2018
2 parents 97c0d97 + 58bc24e commit f8f4233
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,15 @@ protected void extractFile( final File srcF, final File dir, final InputStream c
// Hmm. Symlinks re-evaluate back to the original file here. Unsure if this is a good thing...
final File f = FileUtils.resolveFile( dir, entryName );

// Make sure that the resolved path of the extracted file doesn't escape the destination directory
String canonicalDirPath = dir.getCanonicalPath();
String canonicalDestPath = f.getCanonicalPath();

if ( !canonicalDestPath.startsWith( canonicalDirPath ) )
{
throw new ArchiverException( "Entry is outside of the target directory (" + entryName + ")" );
}

try
{
if ( !isOverwrite() && f.exists() && ( f.lastModified() >= entryDate.getTime() ) )
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,30 @@ public void testSelectors()
} );
}

public void testExtractingZipWithEntryOutsideDestDirThrowsException()
throws Exception
{
Exception ex = null;
String s = "target/zip-unarchiver-slip-tests";
File testZip = new File( getBasedir(), "src/test/zips/zip-slip.zip" );
File outputDirectory = new File( getBasedir(), s );

FileUtils.deleteDirectory( outputDirectory );

try
{
ZipUnArchiver zu = getZipUnArchiver( testZip );
zu.extract( "", outputDirectory );
}
catch ( Exception e )
{
ex = e;
}

assertNotNull( ex );
assertTrue( ex.getMessage().startsWith( "Entry is outside of the target directory" ) );
}

private ZipArchiver getZipArchiver()
{
try
Expand Down
Binary file added src/test/zips/zip-slip.zip
Binary file not shown.

0 comments on commit f8f4233

Please sign in to comment.