Merge pull request apache#12 from BulkSecurityGeneratorProjectV2/fix/…

…JLL/zip-slip-vulnerability [SECURITY] Fix Zip Slip Vulnerability
FritziTh · Nov 6, 2022 · 83fa43f · 83fa43f
2 parents f292b0b + f327df8
commit 83fa43f
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/tools/cli/src/main/java/org/apache/batchee/cli/zip/Zips.java b/tools/cli/src/main/java/org/apache/batchee/cli/zip/Zips.java
@@ -44,6 +44,9 @@ public static void unzip(final File zipFile, final File destination) throws IOEx
  while ((entry = in.getNextEntry()) != null) {
  final String path = entry.getName();
  final File file = new File(destination, path);
+ if (!file.toPath().normalize().startsWith(destination.toPath().normalize())) {
+ throw new IOException("Bad zip entry");
+ }
 
  if (entry.isDirectory()) {
  continue;