You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by GitBox <gi...@apache.org> on 2019/01/15 10:09:14 UTC
[karaf] Diff for: [GitHub] jbonofre merged pull request #717: [KARAF-6090]
kar extract ignores path containing .. relative
diff --git a/kar/pom.xml b/kar/pom.xml
index 660effd47a..f4cb54918e 100644
--- a/kar/pom.xml
+++ b/kar/pom.xml
@@ -75,6 +75,13 @@
<artifactId>org.apache.karaf.shell.core</artifactId>
<optional>true</optional>
</dependency>
+
+ <!-- test -->
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-simple</artifactId>
+ <scope>test</scope>
+ </dependency>
</dependencies>
<build>
diff --git a/kar/src/main/java/org/apache/karaf/kar/internal/Kar.java b/kar/src/main/java/org/apache/karaf/kar/internal/Kar.java
index 22e45c4d7c..68209f02a3 100644
--- a/kar/src/main/java/org/apache/karaf/kar/internal/Kar.java
+++ b/kar/src/main/java/org/apache/karaf/kar/internal/Kar.java
@@ -114,23 +114,27 @@ public void extract(File repoDir, File resourceDir) {
ZipEntry entry = zipIs.getNextEntry();
while (entry != null) {
- if (entry.getName().startsWith("repository/")) {
- String path = entry.getName().substring("repository/".length());
- File destFile = new File(repoDir, path);
- extract(zipIs, entry, destFile);
- if (scanForRepos && featureDetector.isFeaturesRepository(destFile)) {
- Map map = new HashMap<>();
- String uri = Parser.pathToMaven(path, map);
- if (map.get("classifier") != null && ((String) map.get("classifier")).equalsIgnoreCase("features"))
- featureRepos.add(URI.create(uri));
- else featureRepos.add(destFile.toURI());
+ if (entry.getName().contains("..")) {
+ LOGGER.warn("kar entry {} contains a .. relative path. For security reasons, it's not allowed.", entry.getName());
+ } else {
+ if (entry.getName().startsWith("repository/")) {
+ String path = entry.getName().substring("repository/".length());
+ File destFile = new File(repoDir, path);
+ extract(zipIs, entry, destFile);
+ if (scanForRepos && featureDetector.isFeaturesRepository(destFile)) {
+ Map map = new HashMap<>();
+ String uri = Parser.pathToMaven(path, map);
+ if (map.get("classifier") != null && ((String) map.get("classifier")).equalsIgnoreCase("features"))
+ featureRepos.add(URI.create(uri));
+ else featureRepos.add(destFile.toURI());
+ }
}
- }
- if (entry.getName().startsWith("resources/")) {
- String path = entry.getName().substring("resources/".length());
- File destFile = new File(resourceDir, path);
- extract(zipIs, entry, destFile);
+ if (entry.getName().startsWith("resources/")) {
+ String path = entry.getName().substring("resources/".length());
+ File destFile = new File(resourceDir, path);
+ extract(zipIs, entry, destFile);
+ }
}
entry = zipIs.getNextEntry();
}
diff --git a/kar/src/test/java/org/apache/karaf/kar/internal/KarTest.java b/kar/src/test/java/org/apache/karaf/kar/internal/KarTest.java
new file mode 100644
index 0000000000..81c383824f
--- /dev/null
+++ b/kar/src/test/java/org/apache/karaf/kar/internal/KarTest.java
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.karaf.kar.internal;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.net.URI;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipOutputStream;
+
+public class KarTest {
+
+ @Test
+ public void karExtractTest() throws Exception {
+ File base = new File("target/test");
+ base.mkdirs();
+
+ Kar kar = new Kar(new URI("http://repo1.maven.org/maven2/org/apache/karaf/features/framework/4.2.2/framework-4.2.2.kar"));
+ File repoDir = new File("target/test/framework-repo");
+ repoDir.mkdirs();
+ File resourcesDir = new File("target/test/framework-resources");
+ resourcesDir.mkdirs();
+
+ kar.extract(repoDir, resourcesDir);
+
+ File[] repoDirFiles = repoDir.listFiles();
+ Assert.assertEquals(1, repoDirFiles.length);
+ Assert.assertEquals("org", repoDirFiles[0].getName());
+ File[] resourceDirFiles = resourcesDir.listFiles();
+ Assert.assertEquals(6, resourceDirFiles.length);
+ }
+
+ @Test
+ public void badKarExtractTest() throws Exception {
+ File base = new File("target/test");
+ base.mkdirs();
+ File badKarFile = new File(base,"bad.kar");
+ ZipOutputStream zos = new ZipOutputStream(new FileOutputStream(badKarFile));
+ ZipEntry entry = new ZipEntry("../../../../foo.bar");
+ zos.putNextEntry(entry);
+
+ byte[] data = "Test Data".getBytes();
+ zos.write(data, 0, data.length);
+ zos.closeEntry();
+ zos.close();
+
+ Kar kar = new Kar(new URI("file:target/test/bad.kar"));
+ File repoDir = new File("target/test/repo");
+ repoDir.mkdirs();
+ File resourceDir = new File("target/test/resources");
+ resourceDir.mkdirs();
+ kar.extract(repoDir, resourceDir);
+
+ File[] repoDirFiles = repoDir.listFiles();
+ Assert.assertEquals(0, repoDirFiles.length);
+ File[] resourceDirFiles = resourceDir.listFiles();
+ Assert.assertEquals(0, resourceDirFiles.length);
+ }
+
+}
With regards,
Apache Git Services