diff options
Diffstat (limited to 'openecomp-be/lib')
2 files changed, 9 insertions, 2 deletions
diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java index 206eae3491..dfd6b8d250 100644 --- a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java +++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java @@ -47,6 +47,7 @@ import java.util.Objects; import java.util.Optional; import java.util.Set; import java.util.zip.ZipEntry; +import java.util.zip.ZipException; import java.util.zip.ZipInputStream; public class CommonUtil { @@ -95,8 +96,8 @@ public class CommonUtil { String currentEntryName; while ((zipEntry = inputZipStream.getNextEntry()) != null) { + assertEntryNotVulnerable(zipEntry); currentEntryName = zipEntry.getName(); - // else, get the file content (as byte array) and save it in a map. fileByteContent = FileUtils.toByteArray(inputZipStream); int index = lastIndexFileSeparatorIndex(currentEntryName); @@ -115,6 +116,12 @@ public class CommonUtil { return new ImmutablePair<>(mapFileContent, folderList); } + private static void assertEntryNotVulnerable(ZipEntry entry) throws ZipException { + if (entry.getName().contains("../")) { + throw new ZipException("Path traversal attempt discovered."); + } + } + private static boolean isFile(String currentEntryName) { return !(currentEntryName.endsWith("\\") || currentEntryName.endsWith("/")); } diff --git a/openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java b/openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java index e5993677cd..93a2290938 100644 --- a/openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java +++ b/openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java @@ -123,7 +123,7 @@ public class ResourceWalker { return zipEntry -> { String name = zipEntry.getName(); return (name.equals(resource) || name.startsWith(resource + "/")) - && !zipEntry.isDirectory(); + && !zipEntry.isDirectory() && !name.contains("../"); }; } } |