[util] Fix arbitrary file access during archive extraction

Closes #98
css4j · May 10, 2024 · 451d77f · 451d77f
1 parent 42a10a1
commit 451d77f
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/echosvg-util/src/main/java/io/sf/carte/echosvg/util/ClassFileUtilities.java b/echosvg-util/src/main/java/io/sf/carte/echosvg/util/ClassFileUtilities.java
@@ -23,6 +23,7 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Enumeration;
@@ -215,7 +216,7 @@ public int compareTo(Triple o) {
 	}
 
 	private static void collectJars(File dir, Map<String, Jar> jars, Map<String, ClassFile> classFiles)
-			throws IOException {
+			throws IOException, SecurityException {
 		File[] files = dir.listFiles();
 		if (files != null) {
 			for (File file : files) {
@@ -227,11 +228,13 @@ private static void collectJars(File dir, Map<String, Jar> jars, Map<String, Cla
 					j.jarFile = new JarFile(file);
 					jars.put(j.name, j);
 
+					Path dirPath = dir.toPath();
 					Enumeration<JarEntry> entries = j.jarFile.entries();
 					while (entries.hasMoreElements()) {
 						ZipEntry ze = entries.nextElement();
 						String name = ze.getName();
 						if (name.endsWith(".class")) {
+							sanitizeName(dir, dirPath, name);
 							ClassFile cf = new ClassFile();
 							cf.name = name;
 							cf.jar = j;
@@ -246,6 +249,13 @@ private static void collectJars(File dir, Map<String, Jar> jars, Map<String, Cla
 		}
 	}
 
+	private static void sanitizeName(File dir, Path dirPath, String name) throws SecurityException {
+		File file = new File(dir, name);
+		if (!file.toPath().normalize().startsWith(dirPath)) {
+			throw new SecurityException("Possibly malicious zip entry.");
+		}
+	}
+
 	/**
 	 * Returns the dependencies of the given class.
 	 *