From f6a82c15592bc36987d7cdfdfaf91e86af69c7a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Herv=C3=A9=20Boutemy?= Date: Sun, 13 May 2018 19:50:36 +0200 Subject: [PATCH 1/4] prepare 3.4.1-SNAPSHOT --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index aa08b2202..b95a6abe2 100644 --- a/pom.xml +++ b/pom.xml @@ -10,14 +10,14 @@ plexus-archiver - 3.4 + 3.4.1-SNAPSHOT Plexus Archiver Component scm:git:git@github.com:codehaus-plexus/plexus-archiver.git scm:git:git@github.com:codehaus-plexus/plexus-archiver.git http://github.com/codehaus-plexus/plexus-archiver - plexus-archiver-3.4 + master jira From a1b58c0cccc4e9a2e4b06284254492b6ecf6033a Mon Sep 17 00:00:00 2001 From: Odinn Date: Sun, 6 May 2018 01:16:55 +0300 Subject: [PATCH 2/4] fix: fail when trying to extract outside of dest dir A well crafted zip file may cause the code to extract outside of the destination dir. This PR fails when that happens so that no unexpected behaviour happens. --- .../plexus/archiver/AbstractUnArchiver.java | 9 +++++++ .../archiver/zip/ZipUnArchiverTest.java | 24 ++++++++++++++++++ src/test/zips/zip-slip.zip | Bin 0 -> 545 bytes 3 files changed, 33 insertions(+) create mode 100644 src/test/zips/zip-slip.zip diff --git a/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java b/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java index f9035c8cb..cd1625ec0 100644 --- a/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java +++ b/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java @@ -308,6 +308,15 @@ protected void extractFile( final File srcF, final File dir, final InputStream c // Hmm. Symlinks re-evaluate back to the original file here. Unsure if this is a good thing... final File f = FileUtils.resolveFile( dir, entryName ); + // Make sure that the resolved path of the extracted file doesn't escape the destination directory + String canonicalDirPath = dir.getCanonicalPath(); + String canonicalDestPath = f.getCanonicalPath(); + + if ( !canonicalDestPath.startsWith( canonicalDirPath ) ) + { + throw new ArchiverException( "Entry is outside of the target directory (" + entryName + ")" ); + } + try { if ( !isOverwrite() && f.exists() && ( f.lastModified() >= entryDate.getTime() ) ) diff --git a/src/test/java/org/codehaus/plexus/archiver/zip/ZipUnArchiverTest.java b/src/test/java/org/codehaus/plexus/archiver/zip/ZipUnArchiverTest.java index 1f72a6156..ea46a5aae 100644 --- a/src/test/java/org/codehaus/plexus/archiver/zip/ZipUnArchiverTest.java +++ b/src/test/java/org/codehaus/plexus/archiver/zip/ZipUnArchiverTest.java @@ -190,6 +190,30 @@ public void testSelectors() } ); } + public void testExtractingZipWithEntryOutsideDestDirThrowsException() + throws Exception + { + Exception ex = null; + String s = "target/zip-unarchiver-slip-tests"; + File testZip = new File( getBasedir(), "src/test/zips/zip-slip.zip" ); + File outputDirectory = new File( getBasedir(), s ); + + FileUtils.deleteDirectory( outputDirectory ); + + try + { + ZipUnArchiver zu = getZipUnArchiver( testZip ); + zu.extract( "", outputDirectory ); + } + catch ( Exception e ) + { + ex = e; + } + + assertNotNull( ex ); + assertTrue( ex.getMessage().startsWith( "Entry is outside of the target directory" ) ); + } + private ZipArchiver getZipArchiver() { try diff --git a/src/test/zips/zip-slip.zip b/src/test/zips/zip-slip.zip new file mode 100644 index 0000000000000000000000000000000000000000..38b3f499de0163e62ca15ce18350a9d9a477a51b GIT binary patch literal 545 zcmWIWW@h1H0D=Au{XYEp{-1?`Y!K#PkYPyA&ri`SsVE5z;bdU8U359h4v0%DxEUB( zzA-W|u!sQFm1JZVD*#cV0!Xz&eqJh90MJm76a&LlprHwl)s`S02)6*So}T`Ippx7I z{nWC|9FT|Lj?Pm62|-=W$Rx*%D=;L0E@xl>dYWNLBZ!3v8dgZqpan~SHzSh>Gwx6T jnE?Vz8bg8PfCLE8QsgiR@MdKLxrhk}K_2A>d6oeH^pk5C literal 0 HcmV?d00001 From c264bf05799eb719255e9e803fe51b44843c2185 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Herv=C3=A9=20Boutemy?= Date: Sun, 13 May 2018 20:02:24 +0200 Subject: [PATCH 3/4] [maven-release-plugin] prepare release plexus-archiver-3.4.1 --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index b95a6abe2..3d2203cc4 100644 --- a/pom.xml +++ b/pom.xml @@ -10,14 +10,14 @@ plexus-archiver - 3.4.1-SNAPSHOT + 3.4.1 Plexus Archiver Component scm:git:git@github.com:codehaus-plexus/plexus-archiver.git scm:git:git@github.com:codehaus-plexus/plexus-archiver.git http://github.com/codehaus-plexus/plexus-archiver - master + plexus-archiver-3.4.1 jira From 864e818d4ef58b9274287439e4127851466d6da8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Herv=C3=A9=20Boutemy?= Date: Sun, 13 May 2018 20:02:31 +0200 Subject: [PATCH 4/4] [maven-release-plugin] prepare for next development iteration --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 3d2203cc4..749d76c05 100644 --- a/pom.xml +++ b/pom.xml @@ -10,14 +10,14 @@ plexus-archiver - 3.4.1 + 3.4.2-SNAPSHOT Plexus Archiver Component scm:git:git@github.com:codehaus-plexus/plexus-archiver.git scm:git:git@github.com:codehaus-plexus/plexus-archiver.git http://github.com/codehaus-plexus/plexus-archiver - plexus-archiver-3.4.1 + master jira