Merge branch 'fix/JLL/zip-slip-vulnerability' of github.com:BulkSecur…

…ityGeneratorProjectV2/VIDA-NYU__ache into BulkSecurityGeneratorProjectV2-fix/JLL/zip-slip-vulnerability
VIDA-NYU · Feb 24, 2023 · 8ed162d · 8ed162d
2 parents bed80dd + 2ce3b4a
commit 8ed162d
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/ache/src/main/java/achecrawler/crawler/CrawlersManager.java b/ache/src/main/java/achecrawler/crawler/CrawlersManager.java
@@ -199,6 +199,11 @@ private void unzipFile(Path file, Path outputDir) throws IOException {
                     continue;
                 }
                 File entryDestination = new File(outputDir.toFile(), entry.getName());
+                if (!entryDestination.toPath().normalize().startsWith(outputDir.toFile().toPath().normalize())) {
+                    // Prevent from zip slip vulnerability.
+                    // See:https://github.com/VIDA-NYU/ache/pull/307
+                    throw new IOException("Bad zip entry");
+                }
                 if (entry.isDirectory()) {
                     entryDestination.mkdirs();
                 } else {