include::../description.adoc[] == Noncompliant Code Example ---- Enumeration entries = zipFile.entries(); while (entries.hasMoreElements()) { ZipEntry entry = entries.nextElement(); File extractedFile = new File(toDir, entry.getName()); FileOutputStream fos = new FileOutputStream(extractedFile); // Noncompliant; entry.getName() that was used to created "extractedFile" may be tainted with "../../../../../../../../tmp/evil.sh" InputStream input = zipFile.getInputStream(entry); IOUtils.copy(input, fos); } ---- == Compliant Solution ---- Enumeration entries = zipFile.entries(); while (entries.hasMoreElements()) { ZipEntry zipEntry = entries.nextElement(); String fileName = zipEntry.getName(); File extractedFile = new File(toDir, fileName); String canonicalDirPath = toDir.getCanonicalPath(); String canonicalDestPath = extractedFile.getCanonicalPath(); sanitizeAgainstZipFlipVulnerability(fileName, canonicalDestPath, canonicalDirPath); // Compliant FileOutputStream fos = new FileOutputStream(extractedFile); InputStream input = zipFile.getInputStream(entry); IOUtils.copy(input, fos); } public static void sanitizeAgainstZipFlipVulnerability(String fileName, String canonicalDestPath, String canonicalDirPath) throws ArchiverException { if (fileName.indexOf("..") != -1 && !canonicalDestPath.startsWith(canonicalDirPath + File.separator)) { // Sanitizer throw new ArchiverException("The file " + fileName + " is trying to leave the target output directory."); } } ---- == See * https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection * https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection * https://cwe.mitre.org/data/definitions/409.html[MITRE, CWE-409] - Improper Handling of Highly Compressed Data (Data Amplification) * https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream[CERT, IDS04-J.] - Safely extract files from ZipInputStream * Snyk Research Team: https://snyk.io/research/zip-slip-vulnerability[Zip Slip Vulnerability] * https://nvd.nist.gov/vuln/detail/CVE-2016-0709 * https://nvd.nist.gov/vuln/detail/CVE-2017-5946 ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::../message.adoc[] ''' == Comments And Links (visible only on this page) include::../comments-and-links.adoc[] endif::env-github,rspecator-view[]