Skip to content

Commit

Permalink
[env-manager] ensure to only extract data in exploded folder
Browse files Browse the repository at this point in the history
  • Loading branch information
rmannibucau committed Feb 21, 2024
1 parent 61958a9 commit 1979f01
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions env-manager/src/main/java/io/yupiik/dev/shared/Archives.java
Original file line number Diff line number Diff line change
Expand Up @@ -122,15 +122,19 @@ private void doExtract(final Path exploded, final ArchiveInputStream<?> archive,

final var name = entry.getName();
final int rootFolderEnd = name.indexOf('/');
if (rootFolderEnd < 0 || rootFolderEnd == name.length() - 1) {
if ((rootFolderEnd < 0 || rootFolderEnd == name.length() - 1) || name.contains("..")) {
continue;
}
final var out = exploded.resolve(name.substring(rootFolderEnd + 1));
if (entry.isDirectory()) {
Files.createDirectories(out);
} else if (isLink.test(entry)) {
final var targetLinked = Paths.get(linkPath.apply(archive, entry));
if (Files.exists(out.getParent().resolve(targetLinked))) {
final var target = out.getParent().resolve(targetLinked);
if (exploded.relativize(target.toAbsolutePath().normalize()).toString().contains("..")) {
continue;
}
if (Files.exists(target)) {
Files.createDirectories(out.getParent());
try {
Files.createSymbolicLink(out, targetLinked);
Expand Down

0 comments on commit 1979f01

Please sign in to comment.