Fix zip slip vulnerability. Closes #1840.

2018-12-09 10:41:33 +09:00 · 2018-12-09 10:41:33 +09:00 · e243e73e40
commit e243e73e40
parent de86a162fa
2 changed files with 11 additions and 1 deletions
--- a/main/src/com/google/refine/importing/ImportingUtilities.java
+++ b/main/src/com/google/refine/importing/ImportingUtilities.java
@ -440,7 +440,11 @@ public class ImportingUtilities {
            name = name.substring(0, q);
        }
        
-        File file = new File(dir, name);
+        File file = new File(dir, name);     
+        // For CVE-2018-19859, issue #1840
+        if (!file.toPath().normalize().startsWith(dir.toPath().normalize())) {
+        	throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
+        }
        
        int dot = name.indexOf('.');
        String prefix = dot < 0 ? name : name.substring(0, dot);
--- a/main/tests/server/src/com/google/refine/tests/importing/ImportingUtilitiesTests.java
+++ b/main/tests/server/src/com/google/refine/tests/importing/ImportingUtilitiesTests.java
@ -36,6 +36,12 @@ public class ImportingUtilitiesTests extends ImporterTest {
        Assert.assertTrue(pm.getTags().length == 0);
    }
    
+    @Test(expectedExceptions=IllegalArgumentException.class)
+    public void testZipSlip() {
+        // For CVE-2018-19859, issue #1840
+    	ImportingUtilities.allocateFile(workspaceDir, "../../script.sh");
+    }
+    
    private ObjectNode getNestedOptions(ImportingJob job, TreeImportingParserBase parser) {
        ObjectNode options = parser.createParserUIInitializationData(
                job, new LinkedList<>(), "text/json");