From e459087748170d9b0418cf220d1218a08eaa76b2 Mon Sep 17 00:00:00 2001
From: "prakash.e@huawei.com" <prakash.e@huawei.com>
Date: Mon, 28 Mar 2022 19:36:39 +0530
Subject: parameter filePath is not validated before using it.

https://sonarcloud.io/project/issues?resolved=false&severities=BLOCKER&id=onap_vnfsdk-validation&open=AXem3AYTgLw0BJ6Agbf7

Issue-ID: VNFSDK-832

Signed-off-by: prakash.e@huawei.com <prakash.e@huawei.com>
Change-Id: Iefa47f59aa13ec5d13fafe1a7a6c874096fd7eb9
---
 csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java b/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java
index fd21b62..1d6b62f 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/FileArchive.java
@@ -138,6 +138,10 @@ public class FileArchive {
 
     private void extract(ZipInputStream csar, File filePath) throws IOException {
         byte[] buffer = new byte[2048];
+        String filePathname = filePath.getPath();
+        if (!filePathname.startsWith(TEMP_DIR)) {
+            throw new IOException("Entry is outside of the target directory");
+        }
         try (FileOutputStream fos = new FileOutputStream(filePath);
              BufferedOutputStream bos = new BufferedOutputStream(fos, buffer.length)) {
 
-- 
cgit 1.2.3-korg