diff options
author | Piotr Krysiak <piotr.krysiak@nokia.com> | 2018-07-19 08:08:59 +0200 |
---|---|---|
committer | Vitaly Emporopulo <Vitaliy.Emporopulo@amdocs.com> | 2018-07-23 16:20:25 +0000 |
commit | ed6e278e9839432b0ac08a32554f95dad023eba2 (patch) | |
tree | 0e731a2c51b3fdf05ebe40e6a8d91572e87a0877 /openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src | |
parent | f518496ce1ca757928ca585fb2c011c6a5fd3f10 (diff) |
Added zip-slip assert
Solution is not perfect. more robust one requires refactor which will be
handled in separate Epic for utils cleanuop
Issue-ID: SDC-1401
Change-Id: I536b187c9907fb979b13847c1b67fc3bd0abdc48
Signed-off-by: Piotr Krysiak <piotr.krysiak@nokia.com>
Diffstat (limited to 'openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src')
-rw-r--r-- | openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java b/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java index 25d920f471..94a5408446 100644 --- a/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java +++ b/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java @@ -18,8 +18,8 @@ package org.openecomp.core.utilities.file; import org.apache.commons.io.FilenameUtils; import org.apache.commons.io.IOUtils; -import org.openecomp.core.utilities.json.JsonUtil; import org.onap.sdc.tosca.services.YamlUtil; +import org.openecomp.core.utilities.json.JsonUtil; import java.io.ByteArrayInputStream; import java.io.File; @@ -37,6 +37,7 @@ import java.util.Map; import java.util.Objects; import java.util.function.Function; import java.util.zip.ZipEntry; +import java.util.zip.ZipException; import java.util.zip.ZipInputStream; /** @@ -236,6 +237,7 @@ public class FileUtils { ZipEntry zipEntry; while ((zipEntry = inputZipStream.getNextEntry()) != null) { + assertEntryNotVulnerable(zipEntry); mapFileContent.addFile(zipEntry.getName(), FileUtils.toByteArray(inputZipStream)); } @@ -322,4 +324,10 @@ public class FileUtils { fileExtension.equalsIgnoreCase(FileExtension.YAML.getDisplayName()); } + private static void assertEntryNotVulnerable(ZipEntry entry) throws ZipException { + if (entry.getName().contains("../")) { + throw new ZipException("Path traversal attempt discovered."); + } + } + } |