This will not extract file to any random directory

fabric8io · Jun 5, 2018 · c7d4db1 · c7d4db1
1 parent a7f7364
commit c7d4db1
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/components/fabric8-utils/src/main/java/io/fabric8/utils/Zips.java b/components/fabric8-utils/src/main/java/io/fabric8/utils/Zips.java
@@ -114,6 +114,15 @@ public static void unzip(InputStream in, File toDir) throws IOException {
                 if (!entry.isDirectory()) {
                     String entryName = entry.getName();
                     File toFile = new File(toDir, entryName);
+                    String fileDestinationFullPath = toFile.getPath();
+                    try{
+                    if (!fileDestinationFullPath.startsWith(toDir.getPath())); throw new IOException("Extracting results to different directory");
+
+                    }catch (IOException e){
+                        System.out.println(e);
+                        System.exit(1);
+                    }
+
                     toFile.getParentFile().mkdirs();
                     OutputStream os = new FileOutputStream(toFile);
                     try {