[aries] branch trunk updated: ARIES-1934 - Make sure jar/zip files are jailed to the destination directory

[cschneider]

This is an automated email from the ASF dual-hosted git repository.

cschneider pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/aries.git


The following commit(s) were added to refs/heads/trunk by this push:
     new e8477fa  ARIES-1934 - Make sure jar/zip files are jailed to the 
destination directory
     new 9ef209c  Merge pull request #102 from coheigea/ARIES-1934
e8477fa is described below

commit e8477faa3f37b7b1cab61e634137224552978f80
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Tue Oct 8 12:45:00 2019 +0100

    ARIES-1934 - Make sure jar/zip files are jailed to the destination directory
---
 .../src/main/java/org/apache/aries/spifly/statictool/Main.java   | 9 ++++++---
 util/src/main/java/org/apache/aries/util/io/IOUtils.java         | 7 ++++++-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git 
a/spi-fly/spi-fly-static-tool/src/main/java/org/apache/aries/spifly/statictool/Main.java
 
b/spi-fly/spi-fly-static-tool/src/main/java/org/apache/aries/spifly/statictool/Main.java
index 5bb448c..a4e2c14 100644
--- 
a/spi-fly/spi-fly-static-tool/src/main/java/org/apache/aries/spifly/statictool/Main.java
+++ 
b/spi-fly/spi-fly-static-tool/src/main/java/org/apache/aries/spifly/statictool/Main.java
@@ -243,14 +243,17 @@ public class Main {
         JarInputStream jis = new JarInputStream(new FileInputStream(jarFile));
         JarEntry je = null;
         while((je = jis.getNextJarEntry()) != null) {
+            File outFile = new File(tempDir, je.getName());
+            if 
(!outFile.getCanonicalPath().startsWith(tempDir.getCanonicalPath())) {
+                throw new IOException("The output file is not contained in the 
destination directory");
+            }
+
             if (je.isDirectory()) {
-                File outDir = new File(tempDir, je.getName());
-                ensureDirectory(outDir);
+                ensureDirectory(outFile);
 
                 continue;
             }
 
-            File outFile = new File(tempDir, je.getName());
             File outDir = outFile.getParentFile();
             ensureDirectory(outDir);
 
diff --git a/util/src/main/java/org/apache/aries/util/io/IOUtils.java 
b/util/src/main/java/org/apache/aries/util/io/IOUtils.java
index a926ea3..39054b2 100644
--- a/util/src/main/java/org/apache/aries/util/io/IOUtils.java
+++ b/util/src/main/java/org/apache/aries/util/io/IOUtils.java
@@ -274,7 +274,12 @@ public class IOUtils
         isZip = false;                             // It's not a zip - that's 
ok, we'll return that below. 
       }
       if(isZip){
-        do { 
+        do {
+          File outFile = new File(outputDir, zipEntry.getName());
+          if 
(!outFile.getCanonicalPath().startsWith(outputDir.getCanonicalPath())) {
+            throw new IOException("The output file is not contained in the 
destination directory");
+          }
+
           if (!zipEntry.isDirectory()) { 
             writeOutAndDontCloseInputStream(outputDir, zipEntry.getName(), 
zis);
           }