Merge pull request #1172 from eaftan/fix-zipslip-check

Use canonical dest dir path in ZipSlip check
soot-oss · Jan 28, 2025 · b069ac2 · b069ac2
2 parents a39e3cf + 42d50f8
commit b069ac2
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/...ain/java/sootup/java/bytecode/frontend/inputlocation/WarArchiveAnalysisInputLocation.java b/...ain/java/sootup/java/bytecode/frontend/inputlocation/WarArchiveAnalysisInputLocation.java
@@ -154,8 +154,9 @@ void extractWarFile(Path warFilePath, final Path destDirectory) {
         Path filepath = destDirectory.resolve(zipEntry.getName());
         final File file = filepath.toFile();
 
-        String canonicalPathStr = file.getCanonicalPath();
-        if (!canonicalPathStr.startsWith(destDirectory + File.separator)) {
+        String canonicalFilepathStr = file.getCanonicalPath();
+        String canonicalDestDirStr = dest.getCanonicalPath();
+        if (!canonicalFilepathStr.startsWith(canonicalDestDirStr + File.separator)) {
           throw new IllegalArgumentException(
               "ZipSlip Attack Mitigated: ZipEntry points outside of the target dir: "
                   + file.getName());