Prevent zip archives from putting files in directories outside of the target directory
Change-Id: I4c751097e8d5190f3df32d8aa4195336e28b1c0a
diff --git a/apps/yang/src/main/java/org/onosproject/yang/impl/YangLiveCompilerManager.java b/apps/yang/src/main/java/org/onosproject/yang/impl/YangLiveCompilerManager.java
index 66d296a..068bc98 100644
--- a/apps/yang/src/main/java/org/onosproject/yang/impl/YangLiveCompilerManager.java
+++ b/apps/yang/src/main/java/org/onosproject/yang/impl/YangLiveCompilerManager.java
@@ -22,6 +22,7 @@
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Service;
+import org.onlab.util.ZipValidator;
import org.onosproject.yang.YangLiveCompilerService;
import org.onosproject.yang.compiler.tool.DefaultYangCompilationParam;
import org.onosproject.yang.compiler.tool.YangCompilerManager;
@@ -119,12 +120,16 @@
ZipInputStream zis = new ZipInputStream(stream);
ZipEntry entry;
while ((entry = zis.getNextEntry()) != null) {
- if (!entry.isDirectory()) {
- byte[] data = toByteArray(zis);
- zis.closeEntry();
- File file = new File(dir, entry.getName());
- createParentDirs(file);
- write(data, file);
+ if (ZipValidator.validateZipEntry(entry, dir)) {
+ if (!entry.isDirectory()) {
+ byte[] data = toByteArray(zis);
+ zis.closeEntry();
+ File file = new File(dir, entry.getName());
+ createParentDirs(file);
+ write(data, file);
+ }
+ } else {
+ throw new IOException("Zip archive is attempting to create a file outside of its root");
}
}
zis.close();
diff --git a/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java b/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
index 339e68e..e63a78c 100644
--- a/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
+++ b/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
@@ -25,6 +25,7 @@
import org.apache.commons.configuration.XMLConfiguration;
import org.apache.commons.lang.StringUtils;
import org.onlab.util.Tools;
+import org.onlab.util.ZipValidator;
import org.onosproject.app.ApplicationDescription;
import org.onosproject.app.ApplicationEvent;
import org.onosproject.app.ApplicationException;
@@ -362,12 +363,16 @@
if (!entry.isDirectory()) {
byte[] data = ByteStreams.toByteArray(zis);
zis.closeEntry();
- File file = new File(appDir, entry.getName());
- if (isTopLevel(file)) {
- createParentDirs(file);
- write(data, file);
+ if (ZipValidator.validateZipEntry(entry, appDir)) {
+ File file = new File(appDir, entry.getName());
+ if (isTopLevel(file)) {
+ createParentDirs(file);
+ write(data, file);
+ } else {
+ isSelfContained = true;
+ }
} else {
- isSelfContained = true;
+ throw new ApplicationException("Application Zip archive is attempting to leave application root");
}
}
}
diff --git a/utils/misc/src/main/java/org/onlab/util/ZipValidator.java b/utils/misc/src/main/java/org/onlab/util/ZipValidator.java
new file mode 100644
index 0000000..22c6cba
--- /dev/null
+++ b/utils/misc/src/main/java/org/onlab/util/ZipValidator.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2018-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onlab.util;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.zip.ZipEntry;
+
+/**
+ * Utilities for validation of Zip files.
+ */
+public final class ZipValidator {
+
+ /**
+ * Do not allow construction.
+ */
+ private ZipValidator() {
+
+ }
+
+ /**
+ * Validates a zip entry. Checks that the file being created does not
+ * lie outside the target directory.
+ *
+ * See https://snyk.io/research/zip-slip-vulnerability for more information.
+ *
+ * @param entry ZipEntry to check
+ * @param destinationDir target directory
+ * @return true if the Entry resolves to a file inside the target directory; false otherwise
+ */
+ public static boolean validateZipEntry(ZipEntry entry, File destinationDir) {
+ try {
+ String canonicalDestinationDirPath = destinationDir.getCanonicalPath();
+ File destinationFile = new File(destinationDir, entry.getName());
+ String canonicalDestinationFile = destinationFile.getCanonicalPath();
+ return canonicalDestinationFile.startsWith(canonicalDestinationDirPath + File.separator);
+ } catch (IOException ioe) {
+ return false;
+ }
+ }
+
+}