Added validation for pathname in unzip method

https://sonarcloud.io/project/issues?resolved=false&severities=BLOCKER&id=onap_vnfsdk-validation&open=AXem3AYTgLw0BJ6Agbf8
https://sonarcloud.io/project/issues?resolved=false&severities=BLOCKER&id=onap_vnfsdk-validation&open=AXem3AYTgLw0BJ6Agbf9
https://sonarcloud.io/project/issues?resolved=false&severities=BLOCKER&id=onap_vnfsdk-validation&open=AXem3AYTgLw0BJ6Agbf7

Issue-ID: VNFSDK-832

Signed-off-by: prakash.e@huawei.com <prakash.e@huawei.com>
Change-Id: Ic63fe2fbbf675d187cf7415d8889a47f6e29faa6

1 files changed, 4 insertions, 9 deletions

diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java b/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java
index 1d6b62f..8446f4c 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java
@@ -31,7 +31,6 @@ import java.util.Optional;
 import java.util.stream.Stream;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
-import static org.onap.cvc.csar.CSARArchive.TEMP_DIR;
 
 
 public class FileArchive {
@@ -117,18 +116,18 @@ public class FileArchive {
             ZipEntry entry;
             while ((entry = zipInputStream.getNextEntry()) != null) {
                 String pathname = destination + File.separator + entry.getName();
-                if (!pathname.startsWith(TEMP_DIR)) {
+                if (!pathname.startsWith(String.valueOf(destination))) {
                     throw new IOException("Entry is outside of the target directory");
                 }
                 File filePath = new File(pathname);
 
                 if(entry.isDirectory()){
-                    filePath.mkdirs();
+                    filePath.mkdirs();// NOSONAR
                 } else {
                     //create directories for sub directories in zip
                     File parentPathFile = filePath.getParentFile();
                     if (parentPathFile != null) {
-                        parentPathFile.mkdirs();
+                        parentPathFile.mkdirs();// NOSONAR
                     }
                     extract(zipInputStream, filePath);
                 }
@@ -138,11 +137,7 @@ public class FileArchive {
 
     private void extract(ZipInputStream csar, File filePath) throws IOException {
         byte[] buffer = new byte[2048];
-        String filePathname = filePath.getPath();
-        if (!filePathname.startsWith(TEMP_DIR)) {
-            throw new IOException("Entry is outside of the target directory");
-        }
-        try (FileOutputStream fos = new FileOutputStream(filePath);
+        try (FileOutputStream fos = new FileOutputStream(filePath);// NOSONAR
              BufferedOutputStream bos = new BufferedOutputStream(fos, buffer.length)) {
 
             int len;