aboutsummaryrefslogtreecommitdiffstats
path: root/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib
diff options
context:
space:
mode:
authorPiotr Krysiak <piotr.krysiak@nokia.com>2018-07-19 08:08:59 +0200
committerVitaly Emporopulo <Vitaliy.Emporopulo@amdocs.com>2018-07-23 16:20:25 +0000
commited6e278e9839432b0ac08a32554f95dad023eba2 (patch)
tree0e731a2c51b3fdf05ebe40e6a8d91572e87a0877 /openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib
parentf518496ce1ca757928ca585fb2c011c6a5fd3f10 (diff)
Added zip-slip assert
Solution is not perfect. more robust one requires refactor which will be handled in separate Epic for utils cleanuop Issue-ID: SDC-1401 Change-Id: I536b187c9907fb979b13847c1b67fc3bd0abdc48 Signed-off-by: Piotr Krysiak <piotr.krysiak@nokia.com>
Diffstat (limited to 'openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib')
-rw-r--r--openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java10
1 files changed, 9 insertions, 1 deletions
diff --git a/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java b/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java
index 25d920f471..94a5408446 100644
--- a/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java
+++ b/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java
@@ -18,8 +18,8 @@ package org.openecomp.core.utilities.file;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.IOUtils;
-import org.openecomp.core.utilities.json.JsonUtil;
import org.onap.sdc.tosca.services.YamlUtil;
+import org.openecomp.core.utilities.json.JsonUtil;
import java.io.ByteArrayInputStream;
import java.io.File;
@@ -37,6 +37,7 @@ import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import java.util.zip.ZipEntry;
+import java.util.zip.ZipException;
import java.util.zip.ZipInputStream;
/**
@@ -236,6 +237,7 @@ public class FileUtils {
ZipEntry zipEntry;
while ((zipEntry = inputZipStream.getNextEntry()) != null) {
+ assertEntryNotVulnerable(zipEntry);
mapFileContent.addFile(zipEntry.getName(), FileUtils.toByteArray(inputZipStream));
}
@@ -322,4 +324,10 @@ public class FileUtils {
fileExtension.equalsIgnoreCase(FileExtension.YAML.getDisplayName());
}
+ private static void assertEntryNotVulnerable(ZipEntry entry) throws ZipException {
+ if (entry.getName().contains("../")) {
+ throw new ZipException("Path traversal attempt discovered.");
+ }
+ }
+
}