From c981dd97fa2c22ec46647a69e180f2bd88c9e7d2 Mon Sep 17 00:00:00 2001 From: "prakash.e@huawei.com" Date: Sun, 10 Apr 2022 20:13:01 +0530 Subject: Added validation for pathname in unzip method https://sonarcloud.io/project/issues?resolved=false&severities=BLOCKER&id=onap_vnfsdk-validation&open=AXem3AYTgLw0BJ6Agbf8 https://sonarcloud.io/project/issues?resolved=false&severities=BLOCKER&id=onap_vnfsdk-validation&open=AXem3AYTgLw0BJ6Agbf9 https://sonarcloud.io/project/issues?resolved=false&severities=BLOCKER&id=onap_vnfsdk-validation&open=AXem3AYTgLw0BJ6Agbf7 Issue-ID: VNFSDK-832 Signed-off-by: prakash.e@huawei.com Change-Id: Ic63fe2fbbf675d187cf7415d8889a47f6e29faa6 --- .../src/main/java/org/onap/cvc/csar/FileArchive.java | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java b/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java index 1d6b62f..8446f4c 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java @@ -31,7 +31,6 @@ import java.util.Optional; import java.util.stream.Stream; import java.util.zip.ZipEntry; import java.util.zip.ZipInputStream; -import static org.onap.cvc.csar.CSARArchive.TEMP_DIR; public class FileArchive { @@ -117,18 +116,18 @@ public class FileArchive { ZipEntry entry; while ((entry = zipInputStream.getNextEntry()) != null) { String pathname = destination + File.separator + entry.getName(); - if (!pathname.startsWith(TEMP_DIR)) { + if (!pathname.startsWith(String.valueOf(destination))) { throw new IOException("Entry is outside of the target directory"); } File filePath = new File(pathname); if(entry.isDirectory()){ - filePath.mkdirs(); + filePath.mkdirs();// NOSONAR } else { //create directories for sub directories in zip File parentPathFile = filePath.getParentFile(); if (parentPathFile != null) { - parentPathFile.mkdirs(); + parentPathFile.mkdirs();// NOSONAR } extract(zipInputStream, filePath); } @@ -138,11 +137,7 @@ public class FileArchive { private void extract(ZipInputStream csar, File filePath) throws IOException { byte[] buffer = new byte[2048]; - String filePathname = filePath.getPath(); - if (!filePathname.startsWith(TEMP_DIR)) { - throw new IOException("Entry is outside of the target directory"); - } - try (FileOutputStream fos = new FileOutputStream(filePath); + try (FileOutputStream fos = new FileOutputStream(filePath);// NOSONAR BufferedOutputStream bos = new BufferedOutputStream(fos, buffer.length)) { int len; -- cgit 1.2.3-korg