test/arthas
1
0
Fork 0
mirror of https://gitee.com/arthas/arthas.git synced 2024-12-02 12:17:45 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

fix IOUtils unzip security problem

Browse Source
This commit is contained in:
hengyunabc 2020-12-02 11:28:29 +08:00
parent 08db056c20
commit 2c3315a09d
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
common/src/main/java/com/taobao/arthas/common/IOUtils.java
View File

@ -94,6 +94,14 @@ public class IOUtils {
return null;
}
public static boolean isSubFile(File parent, File child) throws IOException {
return child.getCanonicalPath().startsWith(parent.getCanonicalPath() + File.separator);
}
public static boolean isSubFile(String parent, String child) throws IOException {
return isSubFile(new File(parent), new File(child));
}
public static void unzip(String zipFile, String extractFolder) throws IOException {
File file = new File(zipFile);
ZipFile zip = null;
@ -101,9 +109,9 @@ public class IOUtils {
int BUFFER = 1024 * 8;
zip = new ZipFile(file);
String newPath = extractFolder;
File newPath = new File(extractFolder);
newPath.mkdirs();
new File(newPath).mkdir();
Enumeration<? extends ZipEntry> zipFileEntries = zip.entries();
// Process each entry
@ -113,6 +121,10 @@ public class IOUtils {
String currentEntry = entry.getName();
File destFile = new File(newPath, currentEntry);
if (!isSubFile(newPath, destFile)) {
throw new IOException("Bad zip entry: " + currentEntry);
}
// destFile = new File(newPath, destFile.getName());
File destinationParent = destFile.getParentFile();