Merge pull request #1223 from kermitt2/alert-autofix-61

Fix code scanning alert no. 61: Arbitrary file access during archive extraction ("Zip Slip")
kermitt2 · Jan 10, 2025 · 2ab61a6 · 2ab61a6
2 parents 7c0bccf + 2cc090f
commit 2ab61a6
Showing 1 changed file with 12 additions and 4 deletions.
diff --git a/grobid-service/src/main/java/org/grobid/service/util/ZipUtils.java b/grobid-service/src/main/java/org/grobid/service/util/ZipUtils.java
@@ -80,19 +80,27 @@ public static final void main(String[] args) {
 							+ entry.getName());
 					// This is not robust, just for demonstration purposes.
 
-					(new File(tempDir.getAbsolutePath() + File.separator
-							+ entry.getName())).mkdir();
+					File dir = new File(tempDir.getAbsolutePath() + File.separator + entry.getName()).getCanonicalFile();
+					if (!dir.toPath().startsWith(tempDir.toPath())) {
+						throw new IOException("Bad zip entry: " + entry.getName());
+					}
+					dir.mkdir();
 					continue;
 				}
 
 				System.err.println("Extracting file: " + entry.getName());
 
 				copyInputStream(
 						zipFile.getInputStream(entry),
-						new BufferedOutputStream(new FileOutputStream(tempDir
+						new BufferedOutputStream(new FileOutputStream(new File(tempDir
 								.getAbsolutePath()
 								+ File.separator
-								+ entry.getName())));
+								+ entry.getName()).getCanonicalFile())));
+						File outFile = new File(tempDir.getAbsolutePath() + File.separator + entry.getName()).getCanonicalFile();
+						if (!outFile.toPath().startsWith(tempDir.toPath())) {
+							throw new IOException("Bad zip entry: " + entry.getName());
+						}
+						copyInputStream(zipFile.getInputStream(entry), new BufferedOutputStream(new FileOutputStream(outFile)));
 			}
 
 			zipFile.close();