summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJonathan Platt <jonathan.platt@att.com>2021-07-19 12:20:41 -0400
committerJonathan Platt <jonathan.platt@att.com>2021-07-20 08:19:19 -0400
commit1cffa0923a4fcb46b1aceb7f9b50356c8c729891 (patch)
treedd7e094bd257bf22e1d37aa31b9e3ee9fed9acc3
parent136a85c040adc383bf63342f5e59d5632ecb5dd1 (diff)
Fix zip slip vulnerability (CCSDK-3376)
Check and enforce canonical destination path of new file to resolve zip slip vulnerability in 'DaeximOffsiteBackupProvider.java' Issue-ID: CCSDK-3376 Signed-off-by: Jonathan Platt <jonathan.platt@att.com> Change-Id: I249752d7a8bb1a8075502b5130f94c32986ab8ee
Diffstat
-rwxr-xr-xnorthbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java4
1 files changed, 4 insertions, 0 deletions
diff --git a/northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java b/northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java
index 3d32c7d74..8abefb719 100755
--- a/northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java
+++ b/northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java
@@ -333,6 +333,10 @@ public class DaeximOffsiteBackupProvider implements AutoCloseable, DaeximOffsite
while(zipEntry != null){
String fileName = zipEntry.getName();
File newFile = new File(DAEXIM_DIR + fileName);
+ // To remediate zip slip vulnerability, ensure file has the expected canonical path
+ if (!newFile.getCanonicalPath().startsWith(DAEXIM_DIR)) {
+ throw new IOException("Entry is outside of the target directory");
+ }
FileOutputStream fos = new FileOutputStream(newFile);
int len;
while ((len = zis.read(bytes)) > 0) {