diff options
| author |   Dan Timoney <dtimoney@att.com> | 2021-07-20 15:57:02 +0000 |
|---|---|---|
| committer |   Gerrit Code Review <gerrit@onap.org> | 2021-07-20 15:57:02 +0000 |
| commit | c8d2bc608578588b4938ecaefe7409fcacbafec6 (patch) | |
| tree | 5313b2560d0dc920adfd61a628af40f27ddb3e0e | |
| parent | 6dfa45c5b883af5d9d3371f303513180cefa6f86 (diff) | |
| parent | 1cffa0923a4fcb46b1aceb7f9b50356c8c729891 (diff) | |
Merge "Fix zip slip vulnerability (CCSDK-3376)"
| -rwxr-xr-x | northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java b/northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java index 3d32c7d74..8abefb719 100755 --- a/northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java +++ b/northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java @@ -333,6 +333,10 @@ public class DaeximOffsiteBackupProvider implements AutoCloseable, DaeximOffsite while(zipEntry != null){ String fileName = zipEntry.getName(); File newFile = new File(DAEXIM_DIR + fileName); + // To remediate zip slip vulnerability, ensure file has the expected canonical path + if (!newFile.getCanonicalPath().startsWith(DAEXIM_DIR)) { + throw new IOException("Entry is outside of the target directory"); + } FileOutputStream fos = new FileOutputStream(newFile); int len; while ((len = zis.read(bytes)) > 0) { |