aboutsummaryrefslogtreecommitdiffstats
path: root/openecomp-be
diff options
context:
space:
mode:
authorPiotr Krysiak <piotr.krysiak@nokia.com>2018-07-18 14:35:48 +0200
committerVitaly Emporopulo <Vitaliy.Emporopulo@amdocs.com>2018-07-23 17:00:21 +0000
commitf58e9a8c197ab342f6495e8becaf55876e479a01 (patch)
tree233b7d667bca456ce9eb9282d598f59153d452c5 /openecomp-be
parented6e278e9839432b0ac08a32554f95dad023eba2 (diff)
Fix zip-slip in openecomp-be
Issue-ID: SDC-1401 Change-Id: I92cf8184ab50cb1d3b1ba2f71eab8f5701e1ee57 Signed-off-by: Piotr Krysiak <piotr.krysiak@nokia.com>
Diffstat (limited to 'openecomp-be')
-rw-r--r--openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java9
-rw-r--r--openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java2
-rw-r--r--openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/util/ZipUtils.java47
3 files changed, 38 insertions, 20 deletions
diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java
index 206eae3491..dfd6b8d250 100644
--- a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java
+++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java
@@ -47,6 +47,7 @@ import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.zip.ZipEntry;
+import java.util.zip.ZipException;
import java.util.zip.ZipInputStream;
public class CommonUtil {
@@ -95,8 +96,8 @@ public class CommonUtil {
String currentEntryName;
while ((zipEntry = inputZipStream.getNextEntry()) != null) {
+ assertEntryNotVulnerable(zipEntry);
currentEntryName = zipEntry.getName();
- // else, get the file content (as byte array) and save it in a map.
fileByteContent = FileUtils.toByteArray(inputZipStream);
int index = lastIndexFileSeparatorIndex(currentEntryName);
@@ -115,6 +116,12 @@ public class CommonUtil {
return new ImmutablePair<>(mapFileContent, folderList);
}
+ private static void assertEntryNotVulnerable(ZipEntry entry) throws ZipException {
+ if (entry.getName().contains("../")) {
+ throw new ZipException("Path traversal attempt discovered.");
+ }
+ }
+
private static boolean isFile(String currentEntryName) {
return !(currentEntryName.endsWith("\\") || currentEntryName.endsWith("/"));
}
diff --git a/openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java b/openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java
index e5993677cd..93a2290938 100644
--- a/openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java
+++ b/openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java
@@ -123,7 +123,7 @@ public class ResourceWalker {
return zipEntry -> {
String name = zipEntry.getName();
return (name.equals(resource) || name.startsWith(resource + "/"))
- && !zipEntry.isDirectory();
+ && !zipEntry.isDirectory() && !name.contains("../");
};
}
}
diff --git a/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/util/ZipUtils.java b/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/util/ZipUtils.java
index 96c7f17084..a2ea76d308 100644
--- a/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/util/ZipUtils.java
+++ b/openecomp-be/tools/zusammen-tools/src/main/java/org/openecomp/core/tools/util/ZipUtils.java
@@ -13,6 +13,7 @@ import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.zip.ZipEntry;
+import java.util.zip.ZipException;
import java.util.zip.ZipInputStream;
import java.util.zip.ZipOutputStream;
@@ -45,33 +46,43 @@ public class ZipUtils {
if (zipFile == null || outputFolder == null) {
return;
}
- if (!outputFolder.toFile().exists()) {
- Files.createDirectories(outputFolder);
- }
+ createDirectoryIfNotExists(outputFolder);
try (FileInputStream fileInputStream = new FileInputStream(zipFile.toFile());
- ZipInputStream zis = new ZipInputStream(fileInputStream)) {
- ZipEntry ze = zis.getNextEntry();
- while (ze != null) {
- String fileName = ze.getName();
+ ZipInputStream stream = new ZipInputStream(fileInputStream)) {
+
+ ZipEntry entry;
+ while ((entry = stream.getNextEntry()) != null) {
+ assertEntryNotVulnerable(entry);
+ String fileName = entry.getName();
File newFile = new File(outputFolder.toString() + File.separator + fileName);
- if (ze.isDirectory()) {
- Path path = newFile.toPath();
- if (!path.toFile().exists()) {
- Files.createDirectories(path);
- }
+ if (entry.isDirectory()) {
+ createDirectoryIfNotExists(newFile.toPath());
} else {
- new File(newFile.getParent()).mkdirs();
- try (FileOutputStream fos = new FileOutputStream(newFile)) {
- ByteStreams.copy(zis, fos);
- }
+ persistFile(stream, newFile);
}
- ze = zis.getNextEntry();
}
+ }
+
+ }
- zis.closeEntry();
+ private static void persistFile(ZipInputStream stream, File newFile) throws IOException {
+ new File(newFile.getParent()).mkdirs();
+ try (FileOutputStream outputStream = new FileOutputStream(newFile)) {
+ ByteStreams.copy(stream, outputStream);
}
+ }
+ private static void createDirectoryIfNotExists(Path path) throws IOException {
+ if (!path.toFile().exists()) {
+ Files.createDirectories(path);
+ }
+ }
+
+ private static void assertEntryNotVulnerable(ZipEntry entry) throws ZipException {
+ if (entry.getName().contains("../")) {
+ throw new ZipException("Path traversal attempt discovered.");
+ }
}
}