s434730/RandomSec
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #1901 from OpenRefine/issue1840

Browse Source 
Fix zip slip vulnerability
This commit is contained in:
Jacky 2018-12-09 12:05:16 -05:00 committed by GitHub
commit 7f7b71459c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
main/src/com/google/refine/importing/ImportingUtilities.java
View File

@ -440,7 +440,11 @@ public class ImportingUtilities {
name = name.substring(0, q);
}
File file = new File(dir, name);
File file = new File(dir, name);
// For CVE-2018-19859, issue #1840
if (!file.toPath().normalize().startsWith(dir.toPath().normalize())) {
throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
}
int dot = name.indexOf('.');
String prefix = dot < 0 ? name : name.substring(0, dot);

10
main/tests/server/src/com/google/refine/tests/importing/ImportingUtilitiesTests.java
View File

@ -1,6 +1,8 @@
package com.google.refine.tests.importing;
import java.io.File;
import java.io.IOException;
import java.util.LinkedList;
import org.testng.Assert;
@ -14,6 +16,7 @@ import com.google.refine.importers.tree.TreeImportingParserBase;
import com.google.refine.importing.ImportingJob;
import com.google.refine.importing.ImportingUtilities;
import com.google.refine.tests.importers.ImporterTest;
import com.google.refine.tests.util.TestUtils;
import com.google.refine.util.JSONUtilities;
import com.google.refine.util.ParsingUtilities;
@ -36,6 +39,13 @@ public class ImportingUtilitiesTests extends ImporterTest {
Assert.assertTrue(pm.getTags().length == 0);
}
@Test(expectedExceptions=IllegalArgumentException.class)
public void testZipSlip() throws IOException {
File tempDir = TestUtils.createTempDirectory("openrefine-zip-slip-test");
// For CVE-2018-19859, issue #1840
ImportingUtilities.allocateFile(tempDir, "../../tmp/script.sh");
}
private ObjectNode getNestedOptions(ImportingJob job, TreeImportingParserBase parser) {
ObjectNode options = parser.createParserUIInitializationData(
job, new LinkedList<>(), "text/json");