Skip to content

Commit

Permalink
Merge pull request #730 from coheigea/KARAF-6090
Browse files Browse the repository at this point in the history 
[KARAF-6090] Also check the URL encoded form of ".."
  • Loading branch information
@jbonofre
jbonofre committed Jan 18, 2019
2 parents cbf9755 + ac6874f commit b833eab
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 1 deletion.
2 changes: 1 addition & 1 deletion kar/src/main/java/org/apache/karaf/kar/internal/Kar.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ public void extract(File repoDir, File resourceDir) {

ZipEntry entry = zipIs.getNextEntry();
while (entry != null) {
if (entry.getName().contains("..")) {
if (entry.getName().contains("..") || entry.getName().contains("%2e%2e")) {
LOGGER.warn("kar entry {} contains a .. relative path. For security reasons, it's not allowed.", entry.getName());
} else {
if (entry.getName().startsWith("repository/")) {
Expand Down
32 changes: 32 additions & 0 deletions kar/src/test/java/org/apache/karaf/kar/internal/KarTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,38 @@ public void badKarExtractTest() throws Exception {
Assert.assertEquals(0, repoDirFiles.length);
File[] resourceDirFiles = resourceDir.listFiles();
Assert.assertEquals(0, resourceDirFiles.length);

badKarFile.delete();
}

@Test
public void badEncodedKarExtractTest() throws Exception {
File base = new File("target/test");
base.mkdirs();
File badKarFile = new File(base,"badencoded.kar");
ZipOutputStream zos = new ZipOutputStream(new FileOutputStream(badKarFile));
// Use the encoded form of ".." here
ZipEntry entry = new ZipEntry("%2e%2e/%2e%2e/%2e%2e/%2e%2e/foo.bar");
zos.putNextEntry(entry);

byte[] data = "Test Data".getBytes();
zos.write(data, 0, data.length);
zos.closeEntry();
zos.close();

Kar kar = new Kar(new URI("file:target/test/badencoded.kar"));
File repoDir = new File("target/test/repo");
repoDir.mkdirs();
File resourceDir = new File("target/test/resources");
resourceDir.mkdirs();
kar.extract(repoDir, resourceDir);

File[] repoDirFiles = repoDir.listFiles();
Assert.assertEquals(0, repoDirFiles.length);
File[] resourceDirFiles = resourceDir.listFiles();
Assert.assertEquals(0, resourceDirFiles.length);

badKarFile.delete();
}

}

0 comments on commit b833eab

Please sign in to comment.