You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@seatunnel.apache.org by ga...@apache.org on 2022/09/23 03:26:19 UTC

[incubator-seatunnel] branch dev updated: [Bug]Ensure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations. (#2843)

This is an automated email from the ASF dual-hosted git repository.

gaojun2048 pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/incubator-seatunnel.git


The following commit(s) were added to refs/heads/dev by this push:
     new fd641d264 [Bug]Ensure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations. (#2843)
fd641d264 is described below

commit fd641d264d57e8d5248aa651b47cec3c88e44506
Author: Kirs <ki...@apache.org>
AuthorDate: Fri Sep 23 11:26:14 2022 +0800

    [Bug]Ensure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations. (#2843)
    
    Extracting files from a malicious zip archive (or another archive format) without validating that the destination file path is within the destination directory can cause files outside the destination directory to be overwritten, due to the possible presence of directory traversal elements (..) in archive paths.
---
 .../java/org/apache/seatunnel/core/base/utils/CompressionUtils.java    | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/seatunnel-core/seatunnel-core-base/src/main/java/org/apache/seatunnel/core/base/utils/CompressionUtils.java b/seatunnel-core/seatunnel-core-base/src/main/java/org/apache/seatunnel/core/base/utils/CompressionUtils.java
index 312ea842f..87673eb03 100644
--- a/seatunnel-core/seatunnel-core-base/src/main/java/org/apache/seatunnel/core/base/utils/CompressionUtils.java
+++ b/seatunnel-core/seatunnel-core-base/src/main/java/org/apache/seatunnel/core/base/utils/CompressionUtils.java
@@ -107,6 +107,9 @@ public final class CompressionUtils {
             TarArchiveEntry entry = null;
             while ((entry = (TarArchiveEntry) debInputStream.getNextEntry()) != null) {
                 final File outputFile = new File(outputDir, entry.getName()).toPath().normalize().toFile();
+                if (!outputFile.toPath().normalize().startsWith(outputDir.toPath())) {
+                    throw new IllegalStateException("Bad zip entry");
+                }
                 if (entry.isDirectory()) {
                     LOGGER.info("Attempting to write output directory {}.", outputFile.getAbsolutePath());
                     if (!outputFile.exists()) {