Potential Path Traversal Vulnerability in "copyDirectoryFromPod" method

[chenyihao396]

Describe the bug
Hi,
When checking the CVE-2020-8570 fix commit, I discovered that a potential CWE-22 vulnerability still exists in the "Copy.java" file "copyDirectoryFromPod" method, which affects from version"client-java-parent-10.0.1" to the latest version.

The normalName variable, generated from srcPath (representing the extracted file name), is normalized using FilenameUtils.normalize(entry.getName()) but is not properly validated to ensure that it doesn't contain path traversal sequences like ../.

As a result, an attacker may could craft malicious file names in the tar archive (e.g., ../../etc/passwd) to potentially overwrite or access files outside of the intended destination directory, causing a security risk.

Vulnerability Type
Path Traversal (CWE-22)

Affected Versions
client-java-parent-10.0.1 through the latest version

[brendandburns]

Based on the documentation for normalize:

https://commons.apache.org/proper/commons-io/apidocs/org/apache/commons/io/FilenameUtils.html#normalize(java.lang.String)

I do not believe it is possible for there to be path traversal sequences in normalName.

If you believe that is incorrect, please send a unit test reproducing this issue.