fix: fail when trying to extract outside of dest dir

[odinn1984]

This PR is meant to fix an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive, that holds path traversal filenames. When the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.

A sample malicious zip file named zip-slip.zip (see this gist) was used, and when running the code below, resulted in the creation of /tmp/evil.txt outside of the intended /tmp/safe target.

File testZip = new File("zip-slip.zip");
File targetDirectory = new File("/tmp/safedir");
    
ZipUnArchiver zu = getZipUnArchiver( testZip );
zu.extract( "", targetDirectory );

There are various possible ways to avoid this issue, some include checking for .. (dot dot) characters in the filename, but the best solution in our opinion is to check if the final target filename, starts with the target folder (after both are resolved to their absolute path).

Stay secure,
Snyk Team