prevent zip-slip in DeploymentEngine.addAsWebResources#1227
Conversation
Signed-off-by: rootvector2 <dxbnaveed.k@gmail.com>
|
Thanks for the contribution! The change looks good to me from a first glance, it does not seem like this could break any legitimate usecase. @robertlazarski wdyt? |
|
right, the containment check only rejects entries whose canonical path escapes |
|
Thanks for this @rootvector2, and thanks @cortlepp for taking a look! 🙌 I went through the containment logic carefully and it's correct — nicely
Using getCanonicalPath() instead of getAbsolutePath() is also the right I also checked the other zip-extraction spots — the one in LGTM — merging. Thanks again for the contribution! |
found while auditing the aar deployment path:
addAsWebResourceswrites eachWWW/archive entry throughnew File(out, entryName)without containment, so a crafted aar entry likeWWW/../../evil.jspescapes the per-service web resource directory and writes to an arbitrary path; the fix canonicalizes each target and skips entries that resolve outsideout.