This is an automated email from the ASF dual-hosted git repository. lzljs3620320 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/flink-table-store.git
The following commit(s) were added to refs/heads/master by this push: new ac043ede [hotfix] [SECURITY] Fix Zip Slip Vulnerability ac043ede is described below commit ac043edef8db0ec35a5a1c25eb0150893c039c69 Author: Jonathan Leitschuh <jonathan.leitsc...@gmail.com> AuthorDate: Thu Nov 17 21:40:53 2022 -0500 [hotfix] [SECURITY] Fix Zip Slip Vulnerability This closes #387 --- .../org/apache/flink/table/store/utils/CompatibilityTestUtils.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/flink-table-store-core/src/test/java/org/apache/flink/table/store/utils/CompatibilityTestUtils.java b/flink-table-store-core/src/test/java/org/apache/flink/table/store/utils/CompatibilityTestUtils.java index a76f8d72..377b6af6 100644 --- a/flink-table-store-core/src/test/java/org/apache/flink/table/store/utils/CompatibilityTestUtils.java +++ b/flink-table-store-core/src/test/java/org/apache/flink/table/store/utils/CompatibilityTestUtils.java @@ -39,6 +39,9 @@ public class CompatibilityTestUtils { ZipEntry entry; while ((entry = zip.getNextEntry()) != null) { File file = new File(targetDirectory, entry.getName()); + if (!file.toPath().normalize().startsWith(targetDirectory)) { + throw new IOException("Bad zip entry"); + } if (entry.isDirectory()) { file.mkdirs();