67 lines
2.5 KiB
Plaintext
67 lines
2.5 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
Enumeration<? extends ZipEntry> entries = zipFile.entries();
|
|
while (entries.hasMoreElements()) {
|
|
ZipEntry entry = entries.nextElement();
|
|
File extractedFile = new File(toDir, entry.getName());
|
|
|
|
FileOutputStream fos = new FileOutputStream(extractedFile); // Noncompliant; entry.getName() that was used to created "extractedFile" may be tainted with "../../../../../../../../tmp/evil.sh"
|
|
InputStream input = zipFile.getInputStream(entry);
|
|
IOUtils.copy(input, fos);
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
Enumeration<? extends ZipEntry> entries = zipFile.entries();
|
|
while (entries.hasMoreElements()) {
|
|
ZipEntry zipEntry = entries.nextElement();
|
|
String fileName = zipEntry.getName();
|
|
File extractedFile = new File(toDir, fileName);
|
|
|
|
String canonicalDirPath = toDir.getCanonicalPath();
|
|
String canonicalDestPath = extractedFile.getCanonicalPath();
|
|
|
|
sanitizeAgainstZipFlipVulnerability(fileName, canonicalDestPath, canonicalDirPath); // Compliant
|
|
|
|
FileOutputStream fos = new FileOutputStream(extractedFile);
|
|
InputStream input = zipFile.getInputStream(entry);
|
|
IOUtils.copy(input, fos);
|
|
}
|
|
|
|
public static void sanitizeAgainstZipFlipVulnerability(String fileName, String canonicalDestPath, String canonicalDirPath) throws ArchiverException {
|
|
if (fileName.indexOf("..") != -1 && !canonicalDestPath.startsWith(canonicalDirPath + File.separator)) { // Sanitizer
|
|
throw new ArchiverException("The file " + fileName + " is trying to leave the target output directory.");
|
|
}
|
|
}
|
|
----
|
|
|
|
== See
|
|
|
|
* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A3] - Injection
|
|
* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
|
|
* https://cwe.mitre.org/data/definitions/409.html[MITRE, CWE-409] - Improper Handling of Highly Compressed Data (Data Amplification)
|
|
* https://wiki.sei.cmu.edu/confluence/display/java/IDS04-J.+Safely+extract+files+from+ZipInputStream[CERT, IDS04-J.] - Safely extract files from ZipInputStream
|
|
* Snyk Research Team: https://snyk.io/research/zip-slip-vulnerability[Zip Slip Vulnerability]
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2016-0709
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2017-5946
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|