Skip to content

Commit 9150736

Browse files
authored
Merge pull request #2806 from BulkSecurityGeneratorProjectV2/fix/JLL/zip-slip-vulnerability
[SECURITY] Fix Zip Slip Vulnerability
2 parents 1b978d4 + 47afa2c commit 9150736

File tree

1 file changed

+3
-0
lines changed

1 file changed

+3
-0
lines changed

Diff for: testng-core/src/main/java/org/testng/JarFileUtils.java

+3
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,9 @@ private boolean testngXmlExistsInJar(File jarFile, List<String> classes) throws
7676
if (Parser.canParse(jeName.toLowerCase())) {
7777
InputStream inputStream = jf.getInputStream(je);
7878
File copyFile = new File(file, jeName);
79+
if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
80+
throw new IOException("Bad zip entry");
81+
}
7982
copyFile.getParentFile().mkdirs();
8083
Files.copy(inputStream, copyFile.toPath());
8184
if (matchesXmlPathInJar(je)) {

0 commit comments

Comments
 (0)