Cynosphere
/
bcv-vf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Mitigate Zip Slip exlpoit

This commit is contained in:
Nico Mexis 2022-01-07 21:37:24 +01:00
parent 5624f3f010
commit c968e94b2c
No known key found for this signature in database
GPG Key ID: 27D6E17CE092AB78
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/main/java/the/bytecode/club/bytecodeviewer/util/ZipUtils.java
View File

@ -35,6 +35,7 @@ import java.util.zip.ZipOutputStream;
*/ */
public final class ZipUtils { public final class ZipUtils {
// TODO: Maybe migrate to org.apache.commons.compress.archivers.examples.Expander?
/** /**
* Unzip files to path. * Unzip files to path.
* *
@ -67,6 +68,11 @@ public final class ZipUtils {
String fileName = destinationDir + File.separator + entry.getName(); String fileName = destinationDir + File.separator + entry.getName();
File f = new File(fileName); File f = new File(fileName);
if (!f.getCanonicalPath().startsWith(destinationDir)) {
System.out.println("Zip Slip exploit detected. Skipping entry " + entry.getName());
continue;
}
File parent = f.getParentFile(); File parent = f.getParentFile();
if (!parent.exists()) { if (!parent.exists()) {
parent.mkdirs(); parent.mkdirs();
@ -106,7 +112,7 @@ public final class ZipUtils {
public static void zipFolder(String srcFolder, String destZipFile, String ignore) throws Exception { public static void zipFolder(String srcFolder, String destZipFile, String ignore) throws Exception {
try (FileOutputStream fileWriter = new FileOutputStream(destZipFile); try (FileOutputStream fileWriter = new FileOutputStream(destZipFile);
ZipOutputStream zip = new ZipOutputStream(fileWriter)){ ZipOutputStream zip = new ZipOutputStream(fileWriter)) {
addFolderToZip("", srcFolder, zip, ignore); addFolderToZip("", srcFolder, zip, ignore);
zip.flush(); zip.flush();
} }
@ -114,7 +120,7 @@ public final class ZipUtils {
public static void zipFolderAPKTool(String srcFolder, String destZipFile) throws Exception { public static void zipFolderAPKTool(String srcFolder, String destZipFile) throws Exception {
try (FileOutputStream fileWriter = new FileOutputStream(destZipFile); try (FileOutputStream fileWriter = new FileOutputStream(destZipFile);
ZipOutputStream zip = new ZipOutputStream(fileWriter)){ ZipOutputStream zip = new ZipOutputStream(fileWriter)) {
addFolderToZipAPKTool("", srcFolder, zip); addFolderToZipAPKTool("", srcFolder, zip);
zip.flush(); zip.flush();
} }
@ -199,4 +205,4 @@ public final class ZipUtils {
} }
} }
} }
} }