Skip to content

Commit 91e3b12

Browse files
sgramponesgrampone
committed
Fix code scanning alerts
1 parent 5949de5 commit 91e3b12

File tree

2 files changed

+30
-14
lines changed

2 files changed

+30
-14
lines changed

gxcompress/src/main/java/com/genexus/compression/CompressionUtils.java

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@
99
import java.io.IOException;
1010
import java.io.RandomAccessFile;
1111
import java.nio.file.Files;
12+
import java.nio.file.Path;
13+
import java.nio.file.Paths;
1214
import java.util.Enumeration;
1315
import java.util.jar.JarEntry;
1416
import java.util.jar.JarFile;
@@ -304,4 +306,13 @@ private static boolean isEntryPathSafe(File targetPath, String entryName) throws
304306
File destinationFile = new File(targetPath, entryName).getCanonicalFile();
305307
return destinationFile.getPath().startsWith(targetPath.getPath() + File.separator) || destinationFile.getPath().equals(targetPath.getPath());
306308
}
309+
310+
public static boolean isPathTraversal(String dir, String fName) {
311+
try {
312+
Path path = Paths.get(dir).resolve(fName);
313+
return !path.toAbsolutePath().equals(path.toRealPath());
314+
}catch (Exception e){
315+
return true;
316+
}
317+
}
307318
}

gxcompress/src/main/java/com/genexus/compression/GXCompressor.java

Lines changed: 19 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -639,20 +639,25 @@ private static void decompressTar(File archive, String directory) throws IOExcep
639639
try (TarArchiveInputStream tis = new TarArchiveInputStream(Files.newInputStream(archive.toPath()))) {
640640
TarArchiveEntry entry;
641641
while ((entry = tis.getNextEntry()) != null) {
642-
File newFile = new File(directory, entry.getName());
643-
if (entry.isDirectory()) {
644-
if (!newFile.isDirectory() && !newFile.mkdirs()) {
645-
throw new IOException("Failed to create directory " + newFile);
646-
}
647-
} else {
648-
File parent = newFile.getParentFile();
649-
if (!parent.isDirectory() && !parent.mkdirs()) {
650-
throw new IOException("Failed to create directory " + parent);
651-
}
652-
try (OutputStream out = Files.newOutputStream(newFile.toPath())) {
653-
int len;
654-
while ((len = tis.read(buffer)) != -1) {
655-
out.write(buffer, 0, len);
642+
if(CompressionUtils.isPathTraversal(directory, entry.getName())){
643+
log.error(DIRECTORY_ATTACK + "{}", entry.getName());
644+
return;
645+
}else {
646+
File newFile = new File(directory, entry.getName());
647+
if (entry.isDirectory()) {
648+
if (!newFile.isDirectory() && !newFile.mkdirs()) {
649+
throw new IOException("Failed to create directory " + newFile);
650+
}
651+
} else {
652+
File parent = newFile.getParentFile();
653+
if (!parent.isDirectory() && !parent.mkdirs()) {
654+
throw new IOException("Failed to create directory " + parent);
655+
}
656+
try (OutputStream out = Files.newOutputStream(newFile.toPath())) {
657+
int len;
658+
while ((len = tis.read(buffer)) != -1) {
659+
out.write(buffer, 0, len);
660+
}
656661
}
657662
}
658663
}

0 commit comments

Comments
 (0)