From c968e94b2c93da434a4ecfac6d08eda162d615d0 Mon Sep 17 00:00:00 2001 From: Nico Mexis Date: Fri, 7 Jan 2022 21:37:24 +0100 Subject: [PATCH] Mitigate Zip Slip exlpoit --- .../bytecode/club/bytecodeviewer/util/ZipUtils.java | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/main/java/the/bytecode/club/bytecodeviewer/util/ZipUtils.java b/src/main/java/the/bytecode/club/bytecodeviewer/util/ZipUtils.java index 499fc662..f7e9a648 100644 --- a/src/main/java/the/bytecode/club/bytecodeviewer/util/ZipUtils.java +++ b/src/main/java/the/bytecode/club/bytecodeviewer/util/ZipUtils.java @@ -35,6 +35,7 @@ import java.util.zip.ZipOutputStream; */ public final class ZipUtils { + // TODO: Maybe migrate to org.apache.commons.compress.archivers.examples.Expander? /** * Unzip files to path. * @@ -67,6 +68,11 @@ public final class ZipUtils { String fileName = destinationDir + File.separator + entry.getName(); File f = new File(fileName); + if (!f.getCanonicalPath().startsWith(destinationDir)) { + System.out.println("Zip Slip exploit detected. Skipping entry " + entry.getName()); + continue; + } + File parent = f.getParentFile(); if (!parent.exists()) { parent.mkdirs(); @@ -106,7 +112,7 @@ public final class ZipUtils { public static void zipFolder(String srcFolder, String destZipFile, String ignore) throws Exception { try (FileOutputStream fileWriter = new FileOutputStream(destZipFile); - ZipOutputStream zip = new ZipOutputStream(fileWriter)){ + ZipOutputStream zip = new ZipOutputStream(fileWriter)) { addFolderToZip("", srcFolder, zip, ignore); zip.flush(); } @@ -114,7 +120,7 @@ public final class ZipUtils { public static void zipFolderAPKTool(String srcFolder, String destZipFile) throws Exception { try (FileOutputStream fileWriter = new FileOutputStream(destZipFile); - ZipOutputStream zip = new ZipOutputStream(fileWriter)){ + ZipOutputStream zip = new ZipOutputStream(fileWriter)) { addFolderToZipAPKTool("", srcFolder, zip); zip.flush(); } @@ -199,4 +205,4 @@ public final class ZipUtils { } } } -} \ No newline at end of file +}