Skip to content

Commit

Permalink
Merge pull request #557 from BulkSecurityGeneratorProjectV2/fix/JLL/z…
Browse files Browse the repository at this point in the history 
…ip-slip-vulnerability

[SECURITY] Fix Zip Slip Vulnerability
  • Loading branch information
@dstenger
dstenger authored Mar 31, 2023
2 parents 1946575 + 509a7cc commit 2e476f4
Showing 1 changed file with 9 additions and 9 deletions.
18 changes: 9 additions & 9 deletions teamengine-core/src/main/java/com/occamlab/te/parsers/ZipParser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,7 @@
*/
package com.occamlab.te.parsers;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.io.PrintWriter;
import java.io.InputStream;

import java.io.*;
import java.net.URLConnection;

import java.util.logging.Level;
Expand Down Expand Up @@ -149,8 +143,11 @@ private static Document parse(InputStream is, Element instruction,
subdir = filename.substring(0, filename.lastIndexOf("/"));
else if (filename.lastIndexOf("\\") != -1)
subdir = filename.substring(0, filename.lastIndexOf("\\"));
new File(path + "/" + subdir).mkdirs();
new File(path, subdir).mkdirs();
File outFile = new File(path, filename);
if (!outFile.toPath().normalize().startsWith(path)) {
throw new IOException("Bad zip entry");
}
if (outFile.isDirectory())
continue;
OutputStream out = new FileOutputStream(outFile);
Expand Down Expand Up @@ -246,8 +243,11 @@ private Document saveZipFile(String filepath, Document instruction)
subdir = filename.substring(0, filename.lastIndexOf("/"));
else if (filename.lastIndexOf("\\") != -1)
subdir = filename.substring(0, filename.lastIndexOf("\\"));
new File(path + "/" + subdir).mkdirs();
new File(path, subdir).mkdirs();
File outFile = new File(path, filename);
if (!outFile.toPath().normalize().startsWith(path)) {
throw new IOException("Bad zip entry");
}
if (outFile.isDirectory())
continue;
OutputStream out = new FileOutputStream(outFile);
Expand Down

0 comments on commit 2e476f4

Please sign in to comment.