Merge pull request from GHSA-m88m-crr9-jvqq

* Fix zip slip vulnerability in project import command

* Add zip-slip.tar test resource

main/src/com/google/refine/io/FileProjectManager.java

@@ -169,6 +169,9 @@ protected void untar(File destDir, InputStream inputStream) throws IOException {
 
         while ((tarEntry = tin.getNextTarEntry()) != null) {
             File destEntry = new File(destDir, tarEntry.getName());
+            if (!destEntry.toPath().normalize().startsWith(destDir.toPath().normalize())) {
+                throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
+            }
             File parent = destEntry.getParentFile();
 
             if (!parent.exists()) {

main/tests/server/src/com/google/refine/io/FileProjectManagerTests.java

@@ -150,4 +150,19 @@ public void metaFileUpdateTest() throws GetProjectIDException, InterruptedExcept
         assertEquals(timeBeforeB, timeAfterB);
         assertNotEquals(timeBeforeA, timeAfterA);
     }
+
+    @Test
+    public void testUntarZipSlip() throws IOException {
+        FileProjectManager manager = new FileProjectManagerStub(workspaceDir);
+
+        File tempDir = TestUtils.createTempDirectory("openrefine-project-import-zip-slip-test");
+        try {
+            File subDir = new File(tempDir, "dest");
+            InputStream stream = FileProjectManagerTests.class.getClassLoader().getResourceAsStream("zip-slip.tar");
+
+            assertThrows(IllegalArgumentException.class, () -> manager.untar(subDir, stream));
+        } finally {
+            tempDir.delete();
+        }
+    }
 }