Repository: reef Updated Branches: refs/heads/master ec738ad33 -> 28f15f608 (forced update)
[REEF-2019] Enforce uncompressed files are within the current directory JIRA: [REEF-2019](https://issues.apache.org/jira/browse/REEF-2019) Pull Request: Project: http://git-wip-us.apache.org/repos/asf/reef/repo Commit: http://git-wip-us.apache.org/repos/asf/reef/commit/79941915 Tree: http://git-wip-us.apache.org/repos/asf/reef/tree/79941915 Diff: http://git-wip-us.apache.org/repos/asf/reef/diff/79941915 Branch: refs/heads/master Commit: 79941915f431c35675e93fe0b95f7ddb7f8b398b Parents: 5ed56eb Author: Gyewon Lee <[email protected]> Authored: Fri May 18 16:04:12 2018 +0900 Committer: Gyewon Lee <[email protected]> Committed: Fri May 18 16:23:14 2018 +0900 ---------------------------------------------------------------------- .../reef/runtime/azbatch/evaluator/EvaluatorShim.java | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/reef/blob/79941915/lang/java/reef-runtime-azbatch/src/main/java/org/apache/reef/runtime/azbatch/evaluator/EvaluatorShim.java ---------------------------------------------------------------------- diff --git a/lang/java/reef-runtime-azbatch/src/main/java/org/apache/reef/runtime/azbatch/evaluator/EvaluatorShim.java b/lang/java/reef-runtime-azbatch/src/main/java/org/apache/reef/runtime/azbatch/evaluator/EvaluatorShim.java index 1579c26..361d65b 100644 --- a/lang/java/reef-runtime-azbatch/src/main/java/org/apache/reef/runtime/azbatch/evaluator/EvaluatorShim.java +++ b/lang/java/reef-runtime-azbatch/src/main/java/org/apache/reef/runtime/azbatch/evaluator/EvaluatorShim.java @@ -44,7 +44,7 @@ import java.io.IOException; import java.io.InputStream; import java.net.URI; import java.nio.file.Files; -import java.nio.file.Paths; +import java.nio.file.Path; import java.util.Arrays; import java.util.Enumeration; import java.util.List; @@ -277,9 +277,14 @@ public final class EvaluatorShim private void extractFiles(final File zipFile) throws IOException { try (ZipFile zipFileHandle = new ZipFile(zipFile)) { Enumeration<? extends ZipEntry> zipEntries = zipFileHandle.entries(); + Path reefPath = this.reefFileNames.getREEFFolder().toPath(); while (zipEntries.hasMoreElements()) { ZipEntry zipEntry = zipEntries.nextElement(); - File file = new File(this.reefFileNames.getREEFFolderName() + '/' + zipEntry.getName()); + Path destination = new File(this.reefFileNames.getREEFFolder(), zipEntry.getName()).toPath(); + if (!destination.startsWith(reefPath)) { + throw new IOException("Trying to unzip a file outside of the destination folder: " + destination); + } + File file = destination.toFile(); if (file.exists()) { LOG.log(Level.INFO, "Skipping entry {0} because the file already exists.", zipEntry.getName()); } else { @@ -292,7 +297,7 @@ public final class EvaluatorShim } else { try (InputStream inputStream = zipFileHandle.getInputStream(zipEntry)) { LOG.log(Level.INFO, "Extracting {0}.", zipEntry.getName()); - Files.copy(inputStream, Paths.get(this.reefFileNames.getREEFFolderName() + '/' + zipEntry.getName())); + Files.copy(inputStream, destination); LOG.log(Level.INFO, "Extracting {0} completed.", zipEntry.getName()); } }
