Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Mitigate Zip Slip exlpoit
  • Loading branch information
ThexXTURBOXx committed Jan 7, 2022
1 parent 5624f3f commit c968e94
Showing 1 changed file with 9 additions and 3 deletions.
Expand Up @@ -35,6 +35,7 @@
*/
public final class ZipUtils {

// TODO: Maybe migrate to org.apache.commons.compress.archivers.examples.Expander?
/**
* Unzip files to path.
*
Expand Down Expand Up @@ -67,6 +68,11 @@ public static void unzipFilesToPath(String jarPath, String destinationDir) throw
String fileName = destinationDir + File.separator + entry.getName();
File f = new File(fileName);

if (!f.getCanonicalPath().startsWith(destinationDir)) {
System.out.println("Zip Slip exploit detected. Skipping entry " + entry.getName());
continue;
}

File parent = f.getParentFile();
if (!parent.exists()) {
parent.mkdirs();
Expand Down Expand Up @@ -106,15 +112,15 @@ public static void zipFile(File inputFile, File outputZip) {

public static void zipFolder(String srcFolder, String destZipFile, String ignore) throws Exception {
try (FileOutputStream fileWriter = new FileOutputStream(destZipFile);
ZipOutputStream zip = new ZipOutputStream(fileWriter)){
ZipOutputStream zip = new ZipOutputStream(fileWriter)) {
addFolderToZip("", srcFolder, zip, ignore);
zip.flush();
}
}

public static void zipFolderAPKTool(String srcFolder, String destZipFile) throws Exception {
try (FileOutputStream fileWriter = new FileOutputStream(destZipFile);
ZipOutputStream zip = new ZipOutputStream(fileWriter)){
ZipOutputStream zip = new ZipOutputStream(fileWriter)) {
addFolderToZipAPKTool("", srcFolder, zip);
zip.flush();
}
Expand Down Expand Up @@ -199,4 +205,4 @@ public static void addFolderToZipAPKTool(String path, String srcFolder, ZipOutpu
}
}
}
}
}

0 comments on commit c968e94

Please sign in to comment.