This is an automated email from the ASF dual-hosted git repository.
imaxon pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/asterixdb.git
The following commit(s) were added to refs/heads/master by this push:
new 28c0ee8 [NO ISSUE] Validate paths within library archives
28c0ee8 is described below
commit 28c0ee84f1387ab5d0659e9e822f4e3923ddc22d
Author: Ian Maxon <ian@maxons.email>
AuthorDate: Mon Apr 6 18:32:53 2020 -0700
[NO ISSUE] Validate paths within library archives
Change-Id: I8f4a82c43b950fc3573cae5aa7c0782b475f962c
Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/5624
Integration-Tests: Jenkins <jenk...@fulliautomatix.ics.uci.edu>
Tested-by: Jenkins <jenk...@fulliautomatix.ics.uci.edu>
Reviewed-by: Ian Maxon <ima...@uci.edu>
Contrib: Ian Maxon <ima...@uci.edu>
---
.../control/common/deployment/DeploymentUtils.java | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git
a/hyracks-fullstack/hyracks/hyracks-control/hyracks-control-common/src/main/java/org/apache/hyracks/control/common/deployment/DeploymentUtils.java
b/hyracks-fullstack/hyracks/hyracks-control/hyracks-control-common/src/main/java/org/apache/hyracks/control/common/deployment/DeploymentUtils.java
index d07b648..e0150f7 100644
---
a/hyracks-fullstack/hyracks/hyracks-control/hyracks-control-common/src/main/java/org/apache/hyracks/control/common/deployment/DeploymentUtils.java
+++
b/hyracks-fullstack/hyracks/hyracks-control/hyracks-control-common/src/main/java/org/apache/hyracks/control/common/deployment/DeploymentUtils.java
@@ -25,6 +25,8 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;
+import java.nio.file.Path;
+import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
@@ -32,6 +34,7 @@ import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;
import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.IOUtils;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
@@ -45,6 +48,7 @@ import org.apache.hyracks.api.job.IJobSerializerDeserializer;
import org.apache.hyracks.api.job.IJobSerializerDeserializerContainer;
import org.apache.hyracks.api.util.JavaSerializationUtils;
import org.apache.hyracks.control.common.context.ServerContext;
+import org.apache.hyracks.util.file.FileUtil;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
@@ -241,12 +245,25 @@ public class DeploymentUtils {
throw HyracksException.create(trace);
}
- public static void unzip(String sourceFile, String outputDir) throws
IOException {
+ public static void unzip(String sourceFile, String outputDirName) throws
IOException {
try (ZipFile zipFile = new ZipFile(sourceFile)) {
+ Path outputPath =
Paths.get(FilenameUtils.normalize(outputDirName));
+ File outputDir = outputPath.toFile();
+ if (!outputDir.exists()) {
+ throw new IOException("Output path doesn't exist");
+ }
+ if (!outputDir.isDirectory()) {
+ throw new IOException("Output path is not a directory");
+ }
Enumeration<? extends ZipEntry> entries = zipFile.entries();
List<File> createdFiles = new ArrayList<>();
while (entries.hasMoreElements()) {
ZipEntry entry = entries.nextElement();
+ String normalizedPath =
FilenameUtils.normalize(FileUtil.joinPath(outputDirName, entry.getName()));
+ Path candidatePath = Paths.get(normalizedPath);
+ if (!candidatePath.startsWith(outputPath)) {
+ throw new IOException("Malformed ZIP archive");
+ }
File entryDestination = new File(outputDir, entry.getName());
if (!entry.isDirectory()) {
entryDestination.getParentFile().mkdirs();
