summaryrefslogtreecommitdiffstats
path: root/openecomp-be/lib
diff options
context:
space:
mode:
Diffstat (limited to 'openecomp-be/lib')
-rw-r--r--openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java9
-rw-r--r--openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java2
2 files changed, 9 insertions, 2 deletions
diff --git a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java
index 206eae3491..dfd6b8d250 100644
--- a/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java
+++ b/openecomp-be/lib/openecomp-common-lib/src/main/java/org/openecomp/sdc/common/utils/CommonUtil.java
@@ -47,6 +47,7 @@ import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.zip.ZipEntry;
+import java.util.zip.ZipException;
import java.util.zip.ZipInputStream;
public class CommonUtil {
@@ -95,8 +96,8 @@ public class CommonUtil {
String currentEntryName;
while ((zipEntry = inputZipStream.getNextEntry()) != null) {
+ assertEntryNotVulnerable(zipEntry);
currentEntryName = zipEntry.getName();
- // else, get the file content (as byte array) and save it in a map.
fileByteContent = FileUtils.toByteArray(inputZipStream);
int index = lastIndexFileSeparatorIndex(currentEntryName);
@@ -115,6 +116,12 @@ public class CommonUtil {
return new ImmutablePair<>(mapFileContent, folderList);
}
+ private static void assertEntryNotVulnerable(ZipEntry entry) throws ZipException {
+ if (entry.getName().contains("../")) {
+ throw new ZipException("Path traversal attempt discovered.");
+ }
+ }
+
private static boolean isFile(String currentEntryName) {
return !(currentEntryName.endsWith("\\") || currentEntryName.endsWith("/"));
}
diff --git a/openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java b/openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java
index e5993677cd..93a2290938 100644
--- a/openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java
+++ b/openecomp-be/lib/openecomp-sdc-translator-lib/openecomp-sdc-translator-core/src/main/java/org/openecomp/sdc/translator/utils/ResourceWalker.java
@@ -123,7 +123,7 @@ public class ResourceWalker {
return zipEntry -> {
String name = zipEntry.getName();
return (name.equals(resource) || name.startsWith(resource + "/"))
- && !zipEntry.isDirectory();
+ && !zipEntry.isDirectory() && !name.contains("../");
};
}
}