Hardened unpack() against path traversal attempts

ata4 · May 30, 2018 · 379b282 · 379b282
1 parent 5b4ce6d
commit 379b282
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/src/main/java/info/ata4/bsplib/PakFile.java b/src/main/java/info/ata4/bsplib/PakFile.java
@@ -68,19 +68,23 @@ public void unpack(Path dest, List<String> names) throws IOException {
                     continue;
                 }
 
-                // some maps have embedded files with absolute paths, for
-                // whatever reason...
-                zipName = zipName.replace(':', '_');
-
-                Path entryFile = dest.resolve(zipName);
+                // create file path for zip entry and canonize it
+                Path entryFile = dest.resolve(zipName).normalize();
 
+                // don't allow file path to exit the extraction directory
+                if (!entryFile.startsWith(dest)) {
+                    L.log(Level.WARNING, "Skipped {0} (path traversal attempt)", ze.getName());
+                    continue;
+                }
+
+                // create missing parent directory
                 if (Files.notExists(entryFile.getParent())) {
                     Files.createDirectories(entryFile.getParent());
                 }
 
                 // don't overwrite any files
                 if (Files.exists(entryFile)) {
-                    L.log(Level.INFO, "Skipped {0}", ze.getName());
+                    L.log(Level.WARNING, "Skipped {0} (exists)", ze.getName());
                     continue;
                 }