Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix directory traversal on bad jar/zip files 

Signed-off-by: Joakim Erdfelt <joakim.erdfelt@gmail.com>
This commit is contained in:
Joakim Erdfelt 2022-10-05 13:25:44 -05:00
parent f8a6a0f5bc
commit a84fe38fef
No known key found for this signature in database
GPG Key ID: 2D0E1FB8FE4B68B4
3 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
jetty-start/src/main/java/org/eclipse/jetty/start/FS.java
View File

@ -198,7 +198,14 @@ public class FS
continue; continue;
} }
Path destFile = destination.resolve(entry.getName()); String entryName = entry.getName();
Path destFile = destination.resolve(entryName).normalize().toAbsolutePath();
// make sure extracted path does not escape the destination directory
if (!destFile.startsWith(destination))
{
throw new IOException(String.format("Malicious Archive %s found with bad entry \"%s\"",
archive, entryName));
}
if (!Files.exists(destFile)) if (!Files.exists(destFile))
{ {
FS.ensureDirectoryExists(destFile.getParent()); FS.ensureDirectoryExists(destFile.getParent());

17
jetty-start/src/test/java/org/eclipse/jetty/start/FSTest.java
View File

@ -14,12 +14,18 @@
package org.eclipse.jetty.start; package org.eclipse.jetty.start;
import java.io.File; import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.List; import java.util.List;
import org.eclipse.jetty.toolchain.test.MavenPaths;
import org.eclipse.jetty.toolchain.test.MavenTestingUtils; import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
import org.eclipse.jetty.toolchain.test.jupiter.WorkDir;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue; import static org.junit.jupiter.api.Assertions.assertTrue;
public class FSTest public class FSTest
@ -45,6 +51,17 @@ public class FSTest
assertTrue(FS.canReadFile(pom.toPath()), "Can read file: " + pom); assertTrue(FS.canReadFile(pom.toPath()), "Can read file: " + pom);
} }
@Test
public void testExtractEscaperZip(WorkDir workDir) throws IOException
{
Path archive = MavenPaths.findTestResourceFile("bad-libs/escaper.zip");
Path dest = workDir.getEmptyPathDir();
Path bad = Path.of("/tmp/evil.txt");
Files.deleteIfExists(bad);
assertThrows(IOException.class, () -> FS.extractZip(archive, dest));
assertFalse(Files.exists(bad), "The escaper prevention didn't work, you should not have a /tmp/evil.txt file, but you do.");
}
/** /**
* Utility method used by other test cases * Utility method used by other test cases
* *

BIN
jetty-start/src/test/resources/bad-libs/escaper.zip Normal file
View File

Binary file not shown.