Merge pull request #3250 from mybatis/autofix/alert-7-b48d877adc

hazendaz · web-flow · commit 45953df03cb7 · 2024-09-25T20:06:57.000-04:00
Fix code scanning alert no. 7: Arbitrary file access during archive extraction ("Zip Slip")
diff --git a/src/main/java/org/apache/ibatis/io/DefaultVFS.java b/src/main/java/org/apache/ibatis/io/DefaultVFS.java
@@ -79,10 +79,15 @@ public List<String> list(URL url, String path) throws IOException {
               if (log.isDebugEnabled()) {
                 log.debug("Listing " + url);
               }
+              File destinationDir = new File(path);
               for (JarEntry entry; (entry = jarInput.getNextJarEntry()) != null;) {
                 if (log.isDebugEnabled()) {
                   log.debug("Jar entry: " + entry.getName());
                 }
+                File entryFile = new File(destinationDir, entry.getName()).getCanonicalFile();
+                if (!entryFile.getPath().startsWith(destinationDir.getCanonicalPath())) {
+                  throw new IOException("Bad zip entry: " + entry.getName());
+                }
                 children.add(entry.getName());
               }
             }

Original file line number	Diff line number	Diff line change
`@@ -79,10 +79,15 @@ public List<String> list(URL url, String path) throws IOException {`
`79`	`79`	`if (log.isDebugEnabled()) {`
`80`	`80`	`log.debug("Listing " + url);`
`81`	`81`	`}`
	`82`	`+ File destinationDir = new File(path);`
`82`	`83`	`for (JarEntry entry; (entry = jarInput.getNextJarEntry()) != null;) {`
`83`	`84`	`if (log.isDebugEnabled()) {`
`84`	`85`	`log.debug("Jar entry: " + entry.getName());`
`85`	`86`	`}`
	`87`	`+ File entryFile = new File(destinationDir, entry.getName()).getCanonicalFile();`
	`88`	`+ if (!entryFile.getPath().startsWith(destinationDir.getCanonicalPath())) {`
	`89`	`+ throw new IOException("Bad zip entry: " + entry.getName());`
	`90`	`+ }`
`86`	`91`	`children.add(entry.getName());`
`87`	`92`	`}`
`88`	`93`	`}`