Skip to content

Commit

Permalink
[#514] fix path validation of jar entry files
Browse files Browse the repository at this point in the history
  • Loading branch information
@laurentschoelens @mattrpav
laurentschoelens authored and mattrpav committed Apr 9, 2024
1 parent c2e4fe0 commit 18c4f71
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions maven-plugin/plugin-core/src/main/java/org/jvnet/jaxb/maven/util/JarScanner.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@
public class JarScanner extends AbstractScanner {
private static final String[] EMPTY_STRING_ARRAY = new String[0];

private File destinationDir = new File("/tmp");

/**
* The jar artifact to be scanned.
*/
Expand Down Expand Up @@ -52,9 +54,9 @@ public void scan() {
while (jarFileEntries.hasMoreElements()) {
JarEntry entry = jarFileEntries.nextElement();
String name = entry.getName();
if (name.startsWith("..") || name.startsWith("/")) {
// ignore "zip slip" file pattern attack
continue;
File file = new File(destinationDir, entry.getName());
if (!file.toPath().normalize().startsWith(destinationDir.toPath())) {
throw new IOException("Bad zip entry for " + entry.getName());
}
char[][] tokenizedName = tokenizePathToCharArray(name, File.separator);
if (name.endsWith("/")) {
Expand Down

0 comments on commit 18c4f71

Please sign in to comment.