summaryrefslogtreecommitdiffstats
path: root/openecomp-be/lib/openecomp-core-lib
diff options
context:
space:
mode:
Diffstat (limited to 'openecomp-be/lib/openecomp-core-lib')
-rw-r--r--openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java10
1 files changed, 9 insertions, 1 deletions
diff --git a/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java b/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java
index 25d920f471..94a5408446 100644
--- a/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java
+++ b/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java
@@ -18,8 +18,8 @@ package org.openecomp.core.utilities.file;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.IOUtils;
-import org.openecomp.core.utilities.json.JsonUtil;
import org.onap.sdc.tosca.services.YamlUtil;
+import org.openecomp.core.utilities.json.JsonUtil;
import java.io.ByteArrayInputStream;
import java.io.File;
@@ -37,6 +37,7 @@ import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import java.util.zip.ZipEntry;
+import java.util.zip.ZipException;
import java.util.zip.ZipInputStream;
/**
@@ -236,6 +237,7 @@ public class FileUtils {
ZipEntry zipEntry;
while ((zipEntry = inputZipStream.getNextEntry()) != null) {
+ assertEntryNotVulnerable(zipEntry);
mapFileContent.addFile(zipEntry.getName(), FileUtils.toByteArray(inputZipStream));
}
@@ -322,4 +324,10 @@ public class FileUtils {
fileExtension.equalsIgnoreCase(FileExtension.YAML.getDisplayName());
}
+ private static void assertEntryNotVulnerable(ZipEntry entry) throws ZipException {
+ if (entry.getName().contains("../")) {
+ throw new ZipException("Path traversal attempt discovered.");
+ }
+ }
+
}