Check for file path when extracting the archive

This vulnerability is present in many open-source projects because the particular code snippet has been copy-pasted from project to project. It's not a critical issue for frontend-maven-plugin, because there is no viable attack vector that would be closed by this patch. But the code here is patched anyways, so that people who copy-paste the code will have a patched copy of it. The vulnerability was found by Snyk Security Research Team.
eirslett · May 30, 2018 · 93d77ff · 93d77ff
1 parent 96bf990
commit 93d77ff
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/...n-core/src/main/java/com/github/eirslett/maven/plugins/frontend/lib/ArchiveExtractor.java b/...n-core/src/main/java/com/github/eirslett/maven/plugins/frontend/lib/ArchiveExtractor.java
@@ -108,6 +108,11 @@ public void extract(String archive, String destinationDirectory) throws ArchiveE
 				                // Create a file for this tarEntry
 				                final File destPath = new File(destinationDirectory + File.separator + tarEntry.getName());
 		                    prepDestination(destPath, tarEntry.isDirectory());
+                                if (!destPath.getCanonicalPath().startsWith(destinationDirectory)) {
+                                     throw new IOException(
+                                             "Expanding " + tarEntry.getName() + " would create file outside of " + destinationDirectory
+                                     );
+                                }
 				                if (!tarEntry.isDirectory()) {
 				                    destPath.createNewFile();
 				                    boolean isExecutable = (tarEntry.getMode() & 0100) > 0;