Cynosphere/bcv-vf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Mitigate Zip Slip exlpoit

Browse source
This commit is contained in:
Nico Mexis 2022-01-07 21:37:24 +01:00
parent 5624f3f010
commit c968e94b2c
No known key found for this signature in database
GPG key ID: 27D6E17CE092AB78
1 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/main/java/the/bytecode/club/bytecodeviewer/util/ZipUtils.java
View file

@ -35,6 +35,7 @@ import java.util.zip.ZipOutputStream;
*/
public final class ZipUtils {
// TODO: Maybe migrate to org.apache.commons.compress.archivers.examples.Expander?
/**
* Unzip files to path.
*
@ -67,6 +68,11 @@ public final class ZipUtils {
String fileName = destinationDir + File.separator + entry.getName();
File f = new File(fileName);
if (!f.getCanonicalPath().startsWith(destinationDir)) {
System.out.println("Zip Slip exploit detected. Skipping entry " + entry.getName());
continue;
}
File parent = f.getParentFile();
if (!parent.exists()) {
parent.mkdirs();
@ -106,7 +112,7 @@ public final class ZipUtils {
public static void zipFolder(String srcFolder, String destZipFile, String ignore) throws Exception {
try (FileOutputStream fileWriter = new FileOutputStream(destZipFile);
ZipOutputStream zip = new ZipOutputStream(fileWriter)){
ZipOutputStream zip = new ZipOutputStream(fileWriter)) {
addFolderToZip("", srcFolder, zip, ignore);
zip.flush();
}
@ -114,7 +120,7 @@ public final class ZipUtils {
public static void zipFolderAPKTool(String srcFolder, String destZipFile) throws Exception {
try (FileOutputStream fileWriter = new FileOutputStream(destZipFile);
ZipOutputStream zip = new ZipOutputStream(fileWriter)){
ZipOutputStream zip = new ZipOutputStream(fileWriter)) {
addFolderToZipAPKTool("", srcFolder, zip);
zip.flush();
}
@ -199,4 +205,4 @@ public final class ZipUtils {
}
}
}
}
}