s434730/RandomSec
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix zip slip vulnerability. Closes #1840.

Browse Source
This commit is contained in:
Antonin Delpeuch 2018-12-09 10:41:33 +09:00
parent de86a162fa
commit e243e73e40
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
main/src/com/google/refine/importing/ImportingUtilities.java
View File

@ -441,6 +441,10 @@ public class ImportingUtilities {
} }
File file = new File(dir, name); File file = new File(dir, name);
// For CVE-2018-19859, issue #1840
if (!file.toPath().normalize().startsWith(dir.toPath().normalize())) {
throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
}
int dot = name.indexOf('.'); int dot = name.indexOf('.');
String prefix = dot < 0 ? name : name.substring(0, dot); String prefix = dot < 0 ? name : name.substring(0, dot);

6
main/tests/server/src/com/google/refine/tests/importing/ImportingUtilitiesTests.java
View File

@ -36,6 +36,12 @@ public class ImportingUtilitiesTests extends ImporterTest {
Assert.assertTrue(pm.getTags().length == 0); Assert.assertTrue(pm.getTags().length == 0);
} }
@Test(expectedExceptions=IllegalArgumentException.class)
public void testZipSlip() {
// For CVE-2018-19859, issue #1840
ImportingUtilities.allocateFile(workspaceDir, "../../script.sh");
}
private ObjectNode getNestedOptions(ImportingJob job, TreeImportingParserBase parser) { private ObjectNode getNestedOptions(ImportingJob job, TreeImportingParserBase parser) {
ObjectNode options = parser.createParserUIInitializationData( ObjectNode options = parser.createParserUIInitializationData(
job, new LinkedList<>(), "text/json"); job, new LinkedList<>(), "text/json");