From ed6e278e9839432b0ac08a32554f95dad023eba2 Mon Sep 17 00:00:00 2001
From: Piotr Krysiak <piotr.krysiak@nokia.com>
Date: Thu, 19 Jul 2018 08:08:59 +0200
Subject: Added zip-slip assert

Solution is not perfect. more robust one requires refactor which will be
handled in separate Epic for utils cleanuop

Issue-ID: SDC-1401

Change-Id: I536b187c9907fb979b13847c1b67fc3bd0abdc48
Signed-off-by: Piotr Krysiak <piotr.krysiak@nokia.com>
---
 .../main/java/org/openecomp/core/utilities/file/FileUtils.java | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'openecomp-be/lib/openecomp-core-lib')

diff --git a/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java b/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java
index 25d920f471..94a5408446 100644
--- a/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java
+++ b/openecomp-be/lib/openecomp-core-lib/openecomp-utilities-lib/src/main/java/org/openecomp/core/utilities/file/FileUtils.java
@@ -18,8 +18,8 @@ package org.openecomp.core.utilities.file;
 
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.io.IOUtils;
-import org.openecomp.core.utilities.json.JsonUtil;
 import org.onap.sdc.tosca.services.YamlUtil;
+import org.openecomp.core.utilities.json.JsonUtil;
 
 import java.io.ByteArrayInputStream;
 import java.io.File;
@@ -37,6 +37,7 @@ import java.util.Map;
 import java.util.Objects;
 import java.util.function.Function;
 import java.util.zip.ZipEntry;
+import java.util.zip.ZipException;
 import java.util.zip.ZipInputStream;
 
 /**
@@ -236,6 +237,7 @@ public class FileUtils {
       ZipEntry zipEntry;
 
       while ((zipEntry = inputZipStream.getNextEntry()) != null) {
+        assertEntryNotVulnerable(zipEntry);
         mapFileContent.addFile(zipEntry.getName(), FileUtils.toByteArray(inputZipStream));
       }
 
@@ -322,4 +324,10 @@ public class FileUtils {
         fileExtension.equalsIgnoreCase(FileExtension.YAML.getDisplayName());
   }
 
+  private static void assertEntryNotVulnerable(ZipEntry entry) throws ZipException {
+    if (entry.getName().contains("../")) {
+      throw new ZipException("Path traversal attempt discovered.");
+    }
+  }
+
 }
-- 
cgit 1.2.3-korg