From 4ef4e2985add43416a58d8d74d52ab6796d600ff Mon Sep 17 00:00:00 2001
From: chenhang <chenhang@apache.org>
Date: Mon, 4 Mar 2024 09:36:08 +0800
Subject: [PATCH] add filename check for unTar

---
 .../bookkeeper/tests/integration/utils/MavenClassLoader.java  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java b/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java
index 2b1fabf6bed..fc1b22a077f 100644
--- a/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java
+++ b/tests/integration-tests-utils/src/main/java/org/apache/bookkeeper/tests/integration/utils/MavenClassLoader.java
@@ -367,6 +367,10 @@ private static void unTar(final File inputFile, final File outputDir) throws Exc
             TarArchiveEntry entry;
             while ((entry = (TarArchiveEntry) debInputStream.getNextEntry()) != null) {
                 final File outputFile = new File(outputDir, entry.getName());
+                if (!outputFile.toPath().normalize().startsWith(outputDir.toPath())) {
+                    throw new Exception("Bad zip entry");
+                }
+
                 if (!outputFile.getParentFile().exists()) {
                     outputFile.getParentFile().mkdirs();
                 }