From 8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72 Mon Sep 17 00:00:00 2001 From: Decebal Suiu Date: Wed, 16 Aug 2023 21:00:59 +0300 Subject: [PATCH] Add security checks to prevent directory traversal when decompressing (#538) --- pf4j/src/main/java/org/pf4j/util/Unzip.java | 14 +++-- .../test/java/org/pf4j/util/UnzipTest.java | 60 +++++++++++++++++++ 2 files changed, 70 insertions(+), 4 deletions(-) create mode 100644 pf4j/src/test/java/org/pf4j/util/UnzipTest.java diff --git a/pf4j/src/main/java/org/pf4j/util/Unzip.java b/pf4j/src/main/java/org/pf4j/util/Unzip.java index 198cf7d..a78cf83 100644 --- a/pf4j/src/main/java/org/pf4j/util/Unzip.java +++ b/pf4j/src/main/java/org/pf4j/util/Unzip.java @@ -15,17 +15,17 @@ */ package org.pf4j.util; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import java.io.File; import java.io.FileInputStream; -import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; import java.util.zip.ZipEntry; +import java.util.zip.ZipException; import java.util.zip.ZipInputStream; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - /** * This class extracts the content of the plugin zip into a directory. * It's a class for only the internal use. @@ -75,11 +75,17 @@ public class Unzip { FileUtils.delete(destination.toPath()); } + String destinationCanonicalPath = destination.getCanonicalPath(); try (ZipInputStream zipInputStream = new ZipInputStream(new FileInputStream(source))) { ZipEntry zipEntry; while ((zipEntry = zipInputStream.getNextEntry()) != null) { File file = new File(destination, zipEntry.getName()); + String fileCanonicalPath = file.getCanonicalPath(); + if (!fileCanonicalPath.startsWith(destinationCanonicalPath)) { + throw new ZipException("The file "+ zipEntry.getName() + " is trying to leave the target output directory of "+ destination); + } + // create intermediary directories - sometimes zip don't add them File dir = new File(file.getParent()); diff --git a/pf4j/src/test/java/org/pf4j/util/UnzipTest.java b/pf4j/src/test/java/org/pf4j/util/UnzipTest.java new file mode 100644 index 0000000..202e1b0 --- /dev/null +++ b/pf4j/src/test/java/org/pf4j/util/UnzipTest.java @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2012-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pf4j.util; + +import org.junit.jupiter.api.Test; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.util.zip.ZipEntry; +import java.util.zip.ZipException; +import java.util.zip.ZipOutputStream; + +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +public class UnzipTest { + + @Test + public void zipSlip() throws IOException { + File zipFile = createMaliciousZipFile(); + Path destination = Files.createTempDirectory("zipSlip"); + + Unzip unzip = new Unzip(); + unzip.setSource(zipFile); + unzip.setDestination(destination.toFile()); + + Exception exception = assertThrows(ZipException.class, unzip::extract); + assertTrue(exception.getMessage().contains("is trying to leave the target output directory")); + } + + private File createMaliciousZipFile() throws IOException { + File zipFile = File.createTempFile("malicious", ".zip"); + String maliciousFileName = "../malicious.sh"; + try (ZipOutputStream zipOutputStream = new ZipOutputStream(new FileOutputStream(zipFile))) { + ZipEntry entry = new ZipEntry(maliciousFileName); + zipOutputStream.putNextEntry(entry); + zipOutputStream.write("Malicious content".getBytes()); + zipOutputStream.closeEntry(); + } + + return zipFile; + } + +} -- 2.39.5