Validate zip file names before extracting (Zip Slip)

slachiewicz · slachiewicz · commit c9408fa4f4fb · 2023-09-21T21:27:11.000+02:00
diff --git a/plexus-compilers/plexus-compiler-csharp/src/main/java/org/codehaus/plexus/compiler/csharp/CSharpCompiler.java b/plexus-compilers/plexus-compiler-csharp/src/main/java/org/codehaus/plexus/compiler/csharp/CSharpCompiler.java
@@ -285,7 +285,7 @@ private String[] buildCompilerArguments( CompilerConfiguration config, String[]
                     {
                         dllDir.mkdir();
                     }
-                    JarUtil.extract(dllDir, new File(element));
+                    JarUtil.extract(dllDir.toPath(), new File(element));
                     for (String tmpfile : dllDir.list()) 
                     {
                         if ( tmpfile.endsWith(DLL_SUFFIX) )
diff --git a/plexus-compilers/plexus-compiler-csharp/src/main/java/org/codehaus/plexus/compiler/csharp/JarUtil.java b/plexus-compilers/plexus-compiler-csharp/src/main/java/org/codehaus/plexus/compiler/csharp/JarUtil.java
@@ -1,31 +1,35 @@
 package org.codehaus.plexus.compiler.csharp;
 
 import java.io.File;
-import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.util.Enumeration;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 
 public class JarUtil {
-    public static void extract( File destDir, File jarFile ) throws IOException
-    {
-        JarFile jar = new JarFile( jarFile );
-        Enumeration enumEntries = jar.entries();
-        while ( enumEntries.hasMoreElements() ) {
-            JarEntry file = ( JarEntry ) enumEntries.nextElement();
-            File f = new File( destDir + File.separator + file.getName() );
-            if ( file.isDirectory() )
-            {
-                f.mkdir();
-                continue;
-            }
-            try ( InputStream is = jar.getInputStream( file ); FileOutputStream fos = new FileOutputStream( f ) )
-            {
-                while ( is.available() > 0 )
-                {
-                    fos.write( is.read() );
+    public static void extract(Path destDir, File jarFile) throws IOException {
+        Path toPath = destDir.normalize();
+        try (JarFile jar = new JarFile(jarFile)) {
+            Enumeration<JarEntry> enumEntries = jar.entries();
+            while (enumEntries.hasMoreElements()) {
+                JarEntry file = enumEntries.nextElement();
+                Path f = destDir.resolve(file.getName());
+                if (!f.startsWith(toPath)) {
+                    throw new IOException("Bad zip entry");
+                }
+                if (file.isDirectory()) {
+                    Files.createDirectories(f);
+                    continue;
+                }
+                try (InputStream is = jar.getInputStream(file);
+                     OutputStream fos = Files.newOutputStream(f)) {
+                    while (is.available() > 0) {
+                        fos.write(is.read());
+                    }
                 }
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -285,7 +285,7 @@ private String[] buildCompilerArguments( CompilerConfiguration config, String[]`
`285`	`285`	`{`
`286`	`286`	`dllDir.mkdir();`
`287`	`287`	`}`
`288`		`- JarUtil.extract(dllDir, new File(element));`
	`288`	`+ JarUtil.extract(dllDir.toPath(), new File(element));`
`289`	`289`	`for (String tmpfile : dllDir.list())`
`290`	`290`	`{`
`291`	`291`	`if ( tmpfile.endsWith(DLL_SUFFIX) )`