From c7d4db1d2570579a7735b4d48a4380bc4b7152a5 Mon Sep 17 00:00:00 2001
From: Rupali Behera <rbehera@redhat.com>
Date: Tue, 5 Jun 2018 22:48:25 +0200
Subject: [PATCH] This will not extract file to any random directory

---
 .../src/main/java/io/fabric8/utils/Zips.java             | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/components/fabric8-utils/src/main/java/io/fabric8/utils/Zips.java b/components/fabric8-utils/src/main/java/io/fabric8/utils/Zips.java
index 9bbcf00852b..51256f8ee81 100644
--- a/components/fabric8-utils/src/main/java/io/fabric8/utils/Zips.java
+++ b/components/fabric8-utils/src/main/java/io/fabric8/utils/Zips.java
@@ -114,6 +114,15 @@ public static void unzip(InputStream in, File toDir) throws IOException {
                 if (!entry.isDirectory()) {
                     String entryName = entry.getName();
                     File toFile = new File(toDir, entryName);
+                    String fileDestinationFullPath = toFile.getPath();
+                    try{
+                    if (!fileDestinationFullPath.startsWith(toDir.getPath())); throw new IOException("Extracting results to different directory");
+
+                    }catch (IOException e){
+                        System.out.println(e);
+                        System.exit(1);
+                    }
+
                     toFile.getParentFile().mkdirs();
                     OutputStream os = new FileOutputStream(toFile);
                     try {