add filename check for unTar

apache · Mar 4, 2024 · 4ef4e29 · 4ef4e29
1 parent 7576f22
commit 4ef4e29
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/...s-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java b/...s-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java
@@ -367,6 +367,10 @@ private static void unTar(final File inputFile, final File outputDir) throws Exc
             TarArchiveEntry entry;
             while ((entry = (TarArchiveEntry) debInputStream.getNextEntry()) != null) {
                 final File outputFile = new File(outputDir, entry.getName());
+                if (!outputFile.toPath().normalize().startsWith(outputDir.toPath())) {
+                    throw new Exception("Bad zip entry");
+                }
+
                 if (!outputFile.getParentFile().exists()) {
                     outputFile.getParentFile().mkdirs();
                 }