Fixed security issue detected by CodeQL ("Zip Slip")

webfx-project · Oct 8, 2023 · b18e700 · b18e700
1 parent c1495e2
commit b18e700
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/src/main/java/dev/webfx/cli/commands/Install.java b/src/main/java/dev/webfx/cli/commands/Install.java
@@ -360,6 +360,10 @@ private static void uncompressTarGz(Path archivePath, Path destinationFolder) {
             while ((tarEntry = tis.getNextTarEntry()) != null) {
                 if (tarEntry.isFile()) {
                     Path outputPath = destinationFolder.resolve(tarEntry.getName());
+                    // Fixing security issue detected by CodeQL: Arbitrary file access during archive extraction ("Zip Slip")
+                    // => Checking the file will not be outside the destination folder
+                    if (!outputPath.normalize().startsWith(destinationFolder))
+                        throw new RuntimeException("Bad zip entry");
                     File outputFile = outputPath.toFile();
                     outputFile.getParentFile().mkdirs();
                     if (tarEntry.isSymbolicLink())
@@ -372,6 +376,8 @@ private static void uncompressTarGz(Path archivePath, Path destinationFolder) {
                 }
             }
         } catch (Exception e) {
+            if (e instanceof RuntimeException)
+                throw (RuntimeException) e;
             throw new RuntimeException(e);
         }
     }

diff --git a/src/main/resources/dev/webfx/cli/version/dev/version.ini b/src/main/resources/dev/webfx/cli/version/dev/version.ini
@@ -1,2 +1,2 @@
 version=0.1.0-SNAPSHOT
-build.timestamp=2023-10-08 10:25
+build.timestamp=2023-10-08 10:38