Closed ebresie closed 1 year ago
Based on details it recommends checking normalized files to ensure this is same as path to avoid possible malicious pathing during un compression. Example provided is to add a check as indicated below:
File file = new File(destinationDir, entry.getName());
if (!file.toPath().normalize().startsWith(destinationDir.toPath())) throw new Exception("Bad zip entry"); FileOutputStream fos = new FileOutputStream(file); // OK
Tracking issue for: