Skip to content

Commit

Permalink
[#514] fix CVE on JarScanner
Browse files Browse the repository at this point in the history
  • Loading branch information
@laurentschoelens @mattrpav
laurentschoelens authored and mattrpav committed Mar 4, 2024
1 parent 923215e commit 4a3fc57
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions maven-plugin/plugin-core/src/main/java/org/jvnet/jaxb/maven/util/JarScanner.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,10 @@ public void scan() {
while (jarFileEntries.hasMoreElements()) {
JarEntry entry = jarFileEntries.nextElement();
String name = entry.getName();
if (name.startsWith("..") || name.startsWith("/")) {
// ignore "zip slip" file pattern attack
continue;
}
char[][] tokenizedName = tokenizePathToCharArray(name, File.separator);
if (name.endsWith("/")) {
// entry is a directory -> skip
Expand Down

0 comments on commit 4a3fc57

Please sign in to comment.