Prevent zip archives from putting files in directories outside of the target directory
Change-Id: I4c751097e8d5190f3df32d8aa4195336e28b1c0a
diff --git a/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java b/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
index 339e68e..e63a78c 100644
--- a/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
+++ b/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
@@ -25,6 +25,7 @@
import org.apache.commons.configuration.XMLConfiguration;
import org.apache.commons.lang.StringUtils;
import org.onlab.util.Tools;
+import org.onlab.util.ZipValidator;
import org.onosproject.app.ApplicationDescription;
import org.onosproject.app.ApplicationEvent;
import org.onosproject.app.ApplicationException;
@@ -362,12 +363,16 @@
if (!entry.isDirectory()) {
byte[] data = ByteStreams.toByteArray(zis);
zis.closeEntry();
- File file = new File(appDir, entry.getName());
- if (isTopLevel(file)) {
- createParentDirs(file);
- write(data, file);
+ if (ZipValidator.validateZipEntry(entry, appDir)) {
+ File file = new File(appDir, entry.getName());
+ if (isTopLevel(file)) {
+ createParentDirs(file);
+ write(data, file);
+ } else {
+ isSelfContained = true;
+ }
} else {
- isSelfContained = true;
+ throw new ApplicationException("Application Zip archive is attempting to leave application root");
}
}
}