Open ametry opened 6 years ago
thrau
commented
5 years ago thanks for this contribution, i'm glad to see that people are looking into security aspects of jarchivelib. i have some concerns merging this into master because i'm still planning on releasing a major version that's compatible with java 6 to not break peoples code. i'll gladly merge it into the next major version where java 6 will be dropped (see #22)
ametry
commented
5 years ago @thrau thanks! Glad to know that you were already planning on using java.nio. I'm curious, is there a rough estimate on when the next major release version might be (when java 6 will be dropped)?
thrau
commented
5 years ago i can't give you one at the moment, but in principle i could start a new branch for 2.x and start deploying snapshots for you to use your code.
ametry
commented
5 years ago Great. Thank you!
There is a vulnerability where an attacker can create an archive with entries, when extracted, attempt to traverse up the file system then down to overwrite system files, giving the attacker the ability to perform malicious attacks. This PR fixes this vulnerability by verifying that the file is being created inside the target/destination directory. If it is not, it is forced to be placed inside the directory. The added test cases show different scenarios of attempts to traverse outside the target directory.
I chose to solve the problem using java.nio which is supported starting java 7 hence the change in pom.xml
For more information about the vulnerability, please refer to this blog post https://blog.sonatype.com/making-sure-our-users-dont-zip-slip-and-fall