fix: Fix potential security issues

RomualdRousseau · Sep 22, 2024 · 8b973af · 8b973af
1 parent b44f148
commit 8b973af
Showing 1 changed file with 3 additions and 7 deletions.
diff --git a/any2json/src/main/java/com/github/romualdrousseau/any2json/util/Disk.java b/any2json/src/main/java/com/github/romualdrousseau/any2json/util/Disk.java
@@ -7,15 +7,12 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Comparator;
-import java.util.List;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 import java.util.zip.ZipOutputStream;
 
 public class Disk
 {
-    private static final List<String> DANGEROUS_PATH = List.of("..", ".");
-
     public static void copyDir(Path src, Path dest) throws IOException {
         Files.walk(src).forEach(source -> copyFile(source, dest.resolve(src.relativize(source))));
     }
@@ -49,12 +46,11 @@ public static void unzipDir(final Path zipFile, final Path folder) throws IOExce
         try (final var zis = new ZipInputStream(new FileInputStream(zipFile.toFile()))) {
             ZipEntry ze = zis.getNextEntry();
             while (ze != null) {
-                if (DANGEROUS_PATH.contains(ze.getName())) {
-                    continue;
+                final var newFile = folder.resolve(ze.getName()).normalize();
+                if (!newFile.startsWith(folder)) {
+                    throw new IOException("Bad zip entry: " + ze.getName());
                 }
 
-                final var newFile = folder.resolve(ze.getName());
-
                 // Ensure parent directory exists
                 newFile.getParent().toFile().mkdirs();