Merge pull request #1085 from soot-oss/fix/ZipSlipVulnerabilityInPath…

…basedInputLocation fix zipslip against pathtraversal write in WarFileInputLocation
soot-oss · Sep 25, 2024 · 2d7ee55 · 2d7ee55
2 parents 62401b4 + 796f282
commit 2d7ee55
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/...main/java/sootup/java/bytecode/frontend/inputlocation/PathBasedAnalysisInputLocation.java b/...main/java/sootup/java/bytecode/frontend/inputlocation/PathBasedAnalysisInputLocation.java
@@ -447,9 +447,20 @@ void extractWarFile(Path warFilePath, final Path destDirectory) {
           Path filepath = destDirectory.resolve(zipEntry.getName());
           final File file = filepath.toFile();
 
+          String canonicalPathStr = file.getCanonicalPath();
+          if (!canonicalPathStr.startsWith(destDirectory + File.separator)) {
+            throw new IllegalArgumentException(
+                "ZipSlip Attack Mitigated: ZipEntry points outside of the target dir: "
+                    + file.getName());
+          }
+
           file.deleteOnExit();
           if (zipEntry.isDirectory()) {
-            file.mkdir();
+            boolean mkdir = file.mkdir();
+            if (!mkdir) {
+              throw new IllegalStateException(
+                  "Could not create Directory: " + file.getAbsolutePath());
+            }
           } else {
             byte[] incomingValues = new byte[4096];
             int readBytesZip;