(bookkeeper) 08/20: Add filename check for unTar (#4222)

Thu, 17 Apr 2025 04:30:38 -0700 

This is an automated email from the ASF dual-hosted git repository.

lhotari pushed a commit to branch branch-4.15
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git

commit 5ff5f10a215741865b75acbf3a11231c8c3bd402
Author: Hang Chen <[email protected]>
AuthorDate: Mon Mar 4 12:07:49 2024 +0800

    Add filename check for unTar (#4222)
    
    * add filename check for unTar
    
    * update code
    
    (cherry picked from commit 48b7d1ebb1138074356da9790fb20f3219c887a4)
---
 .../org/apache/bookkeeper/tests/integration/utils/DockerUtils.java  | 6 +++++-
 .../apache/bookkeeper/tests/integration/utils/MavenClassLoader.java | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git 
a/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/DockerUtils.java
 
b/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/DockerUtils.java
index d2a4d731a6..85c0fbb781 100644
--- 
a/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/DockerUtils.java
+++ 
b/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/DockerUtils.java
@@ -137,7 +137,11 @@ public class DockerUtils {
             TarArchiveEntry entry = stream.getNextTarEntry();
             while (entry != null) {
                 if (entry.isFile()) {
-                    File output = new File(getTargetDirectory(containerId), 
entry.getName().replace("/", "-"));
+                    File targetDir = getTargetDirectory(containerId);
+                    File output = new File(targetDir, 
entry.getName().replace("/", "-"));
+                    if 
(!output.toPath().normalize().startsWith(targetDir.toPath())) {
+                        throw new IOException("Bad zip entry");
+                    }
                     try (FileOutputStream os = new FileOutputStream(output)) {
                         byte[] block = new byte[readBlockSize];
                         int read = stream.read(block, 0, readBlockSize);
diff --git 
a/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java
 
b/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java
index 32d00370b1..c01593a2db 100644
--- 
a/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java
+++ 
b/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java
@@ -368,6 +368,10 @@ public class MavenClassLoader implements AutoCloseable {
             TarArchiveEntry entry;
             while ((entry = (TarArchiveEntry) debInputStream.getNextEntry()) 
!= null) {
                 final File outputFile = new File(outputDir, entry.getName());
+                if 
(!outputFile.toPath().normalize().startsWith(outputDir.toPath())) {
+                    throw new IOException("Bad zip entry");
+                }
+
                 if (!outputFile.getParentFile().exists()) {
                     outputFile.getParentFile().mkdirs();
                 }

Reply via email to