Revert "Prevent zip archives from putting files in directories outside of the target directory"
This reverts commit fa43644f9a26f942225aba3621f3b4ce1045265e.
Change-Id: I438193b1afbafa9870c2986dff2d6753ce15c30a
diff --git a/apps/yang/src/main/java/org/onosproject/yang/impl/YangLiveCompilerManager.java b/apps/yang/src/main/java/org/onosproject/yang/impl/YangLiveCompilerManager.java
index 068bc98..66d296a 100644
--- a/apps/yang/src/main/java/org/onosproject/yang/impl/YangLiveCompilerManager.java
+++ b/apps/yang/src/main/java/org/onosproject/yang/impl/YangLiveCompilerManager.java
@@ -22,7 +22,6 @@
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Service;
-import org.onlab.util.ZipValidator;
import org.onosproject.yang.YangLiveCompilerService;
import org.onosproject.yang.compiler.tool.DefaultYangCompilationParam;
import org.onosproject.yang.compiler.tool.YangCompilerManager;
@@ -120,16 +119,12 @@
ZipInputStream zis = new ZipInputStream(stream);
ZipEntry entry;
while ((entry = zis.getNextEntry()) != null) {
- if (ZipValidator.validateZipEntry(entry, dir)) {
- if (!entry.isDirectory()) {
- byte[] data = toByteArray(zis);
- zis.closeEntry();
- File file = new File(dir, entry.getName());
- createParentDirs(file);
- write(data, file);
- }
- } else {
- throw new IOException("Zip archive is attempting to create a file outside of its root");
+ if (!entry.isDirectory()) {
+ byte[] data = toByteArray(zis);
+ zis.closeEntry();
+ File file = new File(dir, entry.getName());
+ createParentDirs(file);
+ write(data, file);
}
}
zis.close();
diff --git a/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java b/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
index e63a78c..339e68e 100644
--- a/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
+++ b/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
@@ -25,7 +25,6 @@
import org.apache.commons.configuration.XMLConfiguration;
import org.apache.commons.lang.StringUtils;
import org.onlab.util.Tools;
-import org.onlab.util.ZipValidator;
import org.onosproject.app.ApplicationDescription;
import org.onosproject.app.ApplicationEvent;
import org.onosproject.app.ApplicationException;
@@ -363,16 +362,12 @@
if (!entry.isDirectory()) {
byte[] data = ByteStreams.toByteArray(zis);
zis.closeEntry();
- if (ZipValidator.validateZipEntry(entry, appDir)) {
- File file = new File(appDir, entry.getName());
- if (isTopLevel(file)) {
- createParentDirs(file);
- write(data, file);
- } else {
- isSelfContained = true;
- }
+ File file = new File(appDir, entry.getName());
+ if (isTopLevel(file)) {
+ createParentDirs(file);
+ write(data, file);
} else {
- throw new ApplicationException("Application Zip archive is attempting to leave application root");
+ isSelfContained = true;
}
}
}
diff --git a/utils/misc/src/main/java/org/onlab/util/ZipValidator.java b/utils/misc/src/main/java/org/onlab/util/ZipValidator.java
deleted file mode 100644
index 22c6cba..0000000
--- a/utils/misc/src/main/java/org/onlab/util/ZipValidator.java
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright 2018-present Open Networking Foundation
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.onlab.util;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.zip.ZipEntry;
-
-/**
- * Utilities for validation of Zip files.
- */
-public final class ZipValidator {
-
- /**
- * Do not allow construction.
- */
- private ZipValidator() {
-
- }
-
- /**
- * Validates a zip entry. Checks that the file being created does not
- * lie outside the target directory.
- *
- * See https://snyk.io/research/zip-slip-vulnerability for more information.
- *
- * @param entry ZipEntry to check
- * @param destinationDir target directory
- * @return true if the Entry resolves to a file inside the target directory; false otherwise
- */
- public static boolean validateZipEntry(ZipEntry entry, File destinationDir) {
- try {
- String canonicalDestinationDirPath = destinationDir.getCanonicalPath();
- File destinationFile = new File(destinationDir, entry.getName());
- String canonicalDestinationFile = destinationFile.getCanonicalPath();
- return canonicalDestinationFile.startsWith(canonicalDestinationDirPath + File.separator);
- } catch (IOException ioe) {
- return false;
- }
- }
-
-}