mirrors
/
pf4j
mirror of https://github.com/pf4j/pf4j.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 42 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
713 Commits
26 Branches
Tree: 8e0aa198c4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8e0aa198c4'
${ noResults }
pf4j/pf4j/src/test/java/org/pf4j/util/UnzipTest.java

UnzipTest.java 2.1KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. /*

  2.  * Copyright (C) 2012-present the original author or authors.

  3.  *

  4.  * Licensed under the Apache License, Version 2.0 (the "License");

  5.  * you may not use this file except in compliance with the License.

  6.  * You may obtain a copy of the License at

  7.  *

  8.  *     http://www.apache.org/licenses/LICENSE-2.0

  9.  *

  10.  * Unless required by applicable law or agreed to in writing, software

  11.  * distributed under the License is distributed on an "AS IS" BASIS,

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13.  * See the License for the specific language governing permissions and

  14.  * limitations under the License.

  15.  */

  16. package org.pf4j.util;

  17. 

  18. import org.junit.jupiter.api.Test;

  19. 

  20. import java.io.File;

  21. import java.io.FileOutputStream;

  22. import java.io.IOException;

  23. import java.nio.file.Files;

  24. import java.nio.file.Path;

  25. import java.util.zip.ZipEntry;

  26. import java.util.zip.ZipException;

  27. import java.util.zip.ZipOutputStream;

  28. 

  29. import static org.junit.jupiter.api.Assertions.assertThrows;

  30. import static org.junit.jupiter.api.Assertions.assertTrue;

  31. 

  32. public class UnzipTest {

  33. 

  34.     @Test

  35.     public void zipSlip() throws IOException {

  36.         File zipFile = createMaliciousZipFile();

  37.         Path destination = Files.createTempDirectory("zipSlip");

  38. 

  39.         Unzip unzip = new Unzip();

  40.         unzip.setSource(zipFile);

  41.         unzip.setDestination(destination.toFile());

  42. 

  43.         Exception exception = assertThrows(ZipException.class, unzip::extract);

  44.         assertTrue(exception.getMessage().contains("is trying to leave the target output directory"));

  45.     }

  46. 

  47.     private File createMaliciousZipFile() throws IOException {

  48.         File zipFile = File.createTempFile("malicious", ".zip");

  49.         String maliciousFileName = "../malicious.sh";

  50.         try (ZipOutputStream zipOutputStream = new ZipOutputStream(new FileOutputStream(zipFile))) {

  51.             ZipEntry entry = new ZipEntry(maliciousFileName);

  52.             zipOutputStream.putNextEntry(entry);

  53.             zipOutputStream.write("Malicious content".getBytes());

  54.             zipOutputStream.closeEntry();

  55.         }

  56. 

  57.         return zipFile;

  58.     }

  59. 

  60. }