From 7cb419943bf707205712bb195cf02e73d9dcd6fe Mon Sep 17 00:00:00 2001
From: "prakash.e@huawei.com" <prakash.e@huawei.com>
Date: Thu, 24 Mar 2022 07:08:51 +0530
Subject: vnfsdk validation sonar cloud blocker issue fix
 https://sonarcloud.io/project/issues?resolved=false&severities=BLOCKER&id=onap_vnfsdk-validation&open=AXem3AYTgLw0BJ6Agbf8

Issue-ID: VNFSDK-832

Signed-off-by: prakash.e@huawei.com <prakash.e@huawei.com>
Change-Id: I217bf91e336f1c96090f4dfd5aa4b4267a43dd24
---
 csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java b/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java
index e2aa06b..fd21b62 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java
@@ -31,7 +31,7 @@ import java.util.Optional;
 import java.util.stream.Stream;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
-
+import static org.onap.cvc.csar.CSARArchive.TEMP_DIR;
 
 
 public class FileArchive {
@@ -116,8 +116,11 @@ public class FileArchive {
 
             ZipEntry entry;
             while ((entry = zipInputStream.getNextEntry()) != null) {
-
-                File filePath = new File(destination + File.separator + entry.getName());
+                String pathname = destination + File.separator + entry.getName();
+                if (!pathname.startsWith(TEMP_DIR)) {
+                    throw new IOException("Entry is outside of the target directory");
+                }
+                File filePath = new File(pathname);
 
                 if(entry.isDirectory()){
                     filePath.mkdirs();
-- 
cgit 1.2.3-korg