[KARAF-6090] explode operation ignores path containing .. relative 20/head
authorJean-Baptiste Onofré <jbonofre@apache.org>
Mon, 14 Jan 2019 13:44:45 +0000 (14:44 +0100)
committerJean-Baptiste Onofré <jbonofre@apache.org>
Mon, 14 Jan 2019 14:57:02 +0000 (15:57 +0100)
deployer/service/pom.xml
deployer/service/src/main/java/org/apache/karaf/cave/deployer/service/impl/DeployerImpl.java
deployer/service/src/test/java/org/apache/karaf/cave/deployer/service/impl/DeployerImplTest.java

index 103df6f..4d3693e 100644 (file)
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-log4j12</artifactId>
+            <artifactId>slf4j-simple</artifactId>
+            <version>1.7.25</version>
             <scope>test</scope>
         </dependency>
 
index e7afd5b..eef6d00 100644 (file)
@@ -307,8 +307,12 @@ public class DeployerImpl implements Deployer {
             ZipEntry entry = zipIs.getNextEntry();
             while (entry != null) {
                 String path = entry.getName();
-                File destFile = new File(baseDir, path);
-                extract(zipIs, entry, destFile);
+                if (path.contains("..")) {
+                    LOGGER.warn("zip entry {} contains .. relative path. For security reasons, it's not allowed.", path);
+                } else {
+                    File destFile = new File(baseDir, path);
+                    extract(zipIs, entry, destFile);
+                }
                 entry = zipIs.getNextEntry();
             }
         } finally {
index f15cda6..6b89571 100644 (file)
@@ -22,9 +22,14 @@ import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 
+import java.io.File;
+import java.io.FileOutputStream;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipFile;
+import java.util.zip.ZipOutputStream;
 
 public class DeployerImplTest {
 
@@ -50,9 +55,27 @@ public class DeployerImplTest {
     @Test
     public void explodeKarTest() throws Exception {
         List<String> featuresRepositories = deployer.explode("mvn:org.apache.karaf.features/framework/4.1.6/kar", "file:target/test/repository/kar");
-        for (String featuresRepository : featuresRepositories) {
-            System.out.println(featuresRepository);
-        }
+        Assert.assertEquals(1, featuresRepositories.size());
+        Assert.assertEquals("mvn:org.apache.karaf.features/framework/4.1.6/xml/features", featuresRepositories.get(0));
+    }
+
+    @Test
+    public void explodeBadZipTest() throws Exception {
+        File badZipFile = new File("target/test/bad.zip");
+        ZipOutputStream zos = new ZipOutputStream(new FileOutputStream(badZipFile));
+        ZipEntry zipEntry = new ZipEntry("../../../../foo.bar");
+        zos.putNextEntry(zipEntry);
+
+        byte[] data = "Test Data".getBytes();
+        zos.write(data, 0, data.length);
+        zos.closeEntry();
+        zos.close();
+
+        deployer.extract("file:target/test/bad.zip", "target/test/badzip");
+
+        File extractDirectory = new File("target/test/badzip");
+        File[] files = extractDirectory.listFiles();
+        Assert.assertEquals(0, files.length);
     }
 
     @Test