[ https://issues.apache.org/jira/browse/MNG-6942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17228222#comment-17228222 ]
Hudson commented on MNG-6942: ----------------------------- Build unstable in Jenkins: Maven » Maven TLP » maven » MNG-6169/MNG-6551 #14 See https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven/job/MNG-6169%252FMNG-6551/14/ > Arbitrary file write during archive extraction ("Zip Slip") in wrapper > ---------------------------------------------------------------------- > > Key: MNG-6942 > URL: https://issues.apache.org/jira/browse/MNG-6942 > Project: Maven > Issue Type: Bug > Components: maven wrapper > Affects Versions: 3.7.0 > Reporter: Sylwester Lachiewicz > Assignee: Robert Scholte > Priority: Major > Fix For: 3.7.0 > > > In Maven Wrapper Installer > [https://github.com/apache/maven/blob/ef8c95eb397651e10f677763dfcd9c8cea7c27b0/maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java] > > {code:java} > ZipEntry entry = entries.nextElement(); > if ( entry.isDirectory() ) > { > continue; > } > Path targetFile = dest.resolve( entry.getName() ); > // Unsanitized archive entry, which may contain '..', is used in a file > system operation. > // prevent Zip Slip > if ( targetFile.startsWith( dest ) ) > { > Files.createDirectories( targetFile.getParent() ); > Files.copy( zipFile.getInputStream( entry ), targetFile ); > } > {code} > > Found via LGTM.com scan -- This message was sent by Atlassian Jira (v8.3.4#803005)