From 8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72 Mon Sep 17 00:00:00 2001 From: Decebal Suiu Date: Wed, 16 Aug 2023 21:00:59 +0300 Subject: Add security checks to prevent directory traversal when decompressing (#538) --- pf4j/src/test/java/org/pf4j/util/UnzipTest.java | 60 +++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 pf4j/src/test/java/org/pf4j/util/UnzipTest.java (limited to 'pf4j/src/test') diff --git a/pf4j/src/test/java/org/pf4j/util/UnzipTest.java b/pf4j/src/test/java/org/pf4j/util/UnzipTest.java new file mode 100644 index 0000000..202e1b0 --- /dev/null +++ b/pf4j/src/test/java/org/pf4j/util/UnzipTest.java @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2012-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.pf4j.util; + +import org.junit.jupiter.api.Test; + +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.util.zip.ZipEntry; +import java.util.zip.ZipException; +import java.util.zip.ZipOutputStream; + +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; + +public class UnzipTest { + + @Test + public void zipSlip() throws IOException { + File zipFile = createMaliciousZipFile(); + Path destination = Files.createTempDirectory("zipSlip"); + + Unzip unzip = new Unzip(); + unzip.setSource(zipFile); + unzip.setDestination(destination.toFile()); + + Exception exception = assertThrows(ZipException.class, unzip::extract); + assertTrue(exception.getMessage().contains("is trying to leave the target output directory")); + } + + private File createMaliciousZipFile() throws IOException { + File zipFile = File.createTempFile("malicious", ".zip"); + String maliciousFileName = "../malicious.sh"; + try (ZipOutputStream zipOutputStream = new ZipOutputStream(new FileOutputStream(zipFile))) { + ZipEntry entry = new ZipEntry(maliciousFileName); + zipOutputStream.putNextEntry(entry); + zipOutputStream.write("Malicious content".getBytes()); + zipOutputStream.closeEntry(); + } + + return zipFile; + } + +} -- cgit v1.2.3