Fix code scanning alert - Arbitrary file write during archive extraction ("Zip Slip")

ebresie / python4nb

This is a Python Plugin for Netbeans.

Apache License 2.0

13 stars 1 forks source link

Fix code scanning alert - Arbitrary file write during archive extraction ("Zip Slip") #2

Closed ebresie closed 1 year ago

ebresie commented 2 years ago

Tracking issue for:

[ ] https://github.com/ebresie/python4nb/security/code-scanning/1

ebresie commented 2 years ago

Based on details it recommends checking normalized files to ensure this is same as path to avoid possible malicious pathing during un compression. Example provided is to add a check as indicated below:

File file = new File(destinationDir, entry.getName());

if (!file.toPath().normalize().startsWith(destinationDir.toPath())) throw new Exception("Bad zip entry"); FileOutputStream fos = new FileOutputStream(file); // OK

ebresie commented 1 year ago

Fixed as part of 188f3fb