Prevent zip archives from putting files in directories outside of the target directory
Change-Id: I4c751097e8d5190f3df32d8aa4195336e28b1c0a
diff --git a/utils/misc/src/main/java/org/onlab/util/ZipValidator.java b/utils/misc/src/main/java/org/onlab/util/ZipValidator.java
new file mode 100644
index 0000000..22c6cba
--- /dev/null
+++ b/utils/misc/src/main/java/org/onlab/util/ZipValidator.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright 2018-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onlab.util;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.zip.ZipEntry;
+
+/**
+ * Utilities for validation of Zip files.
+ */
+public final class ZipValidator {
+
+ /**
+ * Do not allow construction.
+ */
+ private ZipValidator() {
+
+ }
+
+ /**
+ * Validates a zip entry. Checks that the file being created does not
+ * lie outside the target directory.
+ *
+ * See https://snyk.io/research/zip-slip-vulnerability for more information.
+ *
+ * @param entry ZipEntry to check
+ * @param destinationDir target directory
+ * @return true if the Entry resolves to a file inside the target directory; false otherwise
+ */
+ public static boolean validateZipEntry(ZipEntry entry, File destinationDir) {
+ try {
+ String canonicalDestinationDirPath = destinationDir.getCanonicalPath();
+ File destinationFile = new File(destinationDir, entry.getName());
+ String canonicalDestinationFile = destinationFile.getCanonicalPath();
+ return canonicalDestinationFile.startsWith(canonicalDestinationDirPath + File.separator);
+ } catch (IOException ioe) {
+ return false;
+ }
+ }
+
+}