Merge pull request #8688 from eclipse/fix/jetty-10-start-extract-traversal

Fix traversal bug on extraction of bad jar/zip files during jetty-start
This commit is contained in:
Joakim Erdfelt 2022-10-06 07:15:06 -05:00 committed by GitHub
commit 5733ffc8c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 1 deletions

View File

@ -198,7 +198,14 @@ public class FS
continue;
}
Path destFile = destination.resolve(entry.getName());
String entryName = entry.getName();
Path destFile = destination.resolve(entryName).normalize().toAbsolutePath();
// make sure extracted path does not escape the destination directory
if (!destFile.startsWith(destination))
{
throw new IOException(String.format("Malicious Archive %s found with bad entry \"%s\"",
archive, entryName));
}
if (!Files.exists(destFile))
{
FS.ensureDirectoryExists(destFile.getParent());

View File

@ -14,12 +14,18 @@
package org.eclipse.jetty.start;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.List;
import org.eclipse.jetty.toolchain.test.MavenPaths;
import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
import org.eclipse.jetty.toolchain.test.jupiter.WorkDir;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
public class FSTest
@ -45,6 +51,17 @@ public class FSTest
assertTrue(FS.canReadFile(pom.toPath()), "Can read file: " + pom);
}
@Test
public void testExtractEscaperZip(WorkDir workDir) throws IOException
{
Path archive = MavenPaths.findTestResourceFile("bad-libs/escaper.zip");
Path dest = workDir.getEmptyPathDir();
Path bad = Path.of("/tmp/evil.txt");
Files.deleteIfExists(bad);
assertThrows(IOException.class, () -> FS.extractZip(archive, dest));
assertFalse(Files.exists(bad), "The escaper prevention didn't work, you should not have a /tmp/evil.txt file, but you do.");
}
/**
* Utility method used by other test cases
*

Binary file not shown.