From 917c64307ac18bd638ff65e500e7398efb2fdf36 Mon Sep 17 00:00:00 2001
From: eric-martin <emart.tigers@gmail.com>
Date: Mon, 22 Oct 2018 21:57:52 -0500
Subject: [PATCH] UnzipFile is vulnerable to Zip Slip #5497

---
 .../java/com/baeldung/unzip/UnzipFile.java    |  22 +++++++++++++++---
 .../main/resources/unzipTest/compressed.zip   | Bin 0 -> 256 bytes
 2 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 core-java-io/src/main/resources/unzipTest/compressed.zip

diff --git a/core-java-io/src/main/java/com/baeldung/unzip/UnzipFile.java b/core-java-io/src/main/java/com/baeldung/unzip/UnzipFile.java
index 6648d5f926..140d809d44 100644
--- a/core-java-io/src/main/java/com/baeldung/unzip/UnzipFile.java
+++ b/core-java-io/src/main/java/com/baeldung/unzip/UnzipFile.java
@@ -9,13 +9,13 @@ import java.util.zip.ZipInputStream;
 
 public class UnzipFile {
     public static void main(final String[] args) throws IOException {
-        final String fileZip = "src/main/resources/compressed.zip";
+        final String fileZip = "src/main/resources/unzipTest/compressed.zip";
+        final File destDir = new File("src/main/resources/unzipTest");
         final byte[] buffer = new byte[1024];
         final ZipInputStream zis = new ZipInputStream(new FileInputStream(fileZip));
         ZipEntry zipEntry = zis.getNextEntry();
         while (zipEntry != null) {
-            final String fileName = zipEntry.getName();
-            final File newFile = new File("src/main/resources/unzipTest/" + fileName);
+            final File newFile = newFile(destDir, zipEntry);
             final FileOutputStream fos = new FileOutputStream(newFile);
             int len;
             while ((len = zis.read(buffer)) > 0) {
@@ -27,4 +27,20 @@ public class UnzipFile {
         zis.closeEntry();
         zis.close();
     }
+    
+    /**
+     * @see https://snyk.io/research/zip-slip-vulnerability
+     */
+    public static File newFile(File destinationDir, ZipEntry zipEntry) throws IOException {
+        File destFile = new File(destinationDir, zipEntry.getName());
+        
+        String destDirPath = destinationDir.getCanonicalPath();
+        String destFilePath = destFile.getCanonicalPath();
+        
+        if (!destFilePath.startsWith(destDirPath + File.separator)) {
+            throw new IOException("Entry is outside of the target dir: " + zipEntry.getName());
+        }
+        
+        return destFile;
+    }
 }
\ No newline at end of file
diff --git a/core-java-io/src/main/resources/unzipTest/compressed.zip b/core-java-io/src/main/resources/unzipTest/compressed.zip
new file mode 100644
index 0000000000000000000000000000000000000000..89a9fd831cd096c745a718559ca433666da44bec
GIT binary patch
literal 256
zcmWIWW@Zs#;Nak3P+S$}%YXzpf$Wmh;u1r>l8O>;PhCAj7KQ+Cc8+JCi@n)_a;!ic
zKv1_4TsIR~cg&)yO9<VJOd<>j+mTHM*^Ua}ZVB*4)rM>&sx~{I2_S7?M+A7YvVlxw
N0>V5XT?67U006uTCJ_Jt

literal 0
HcmV?d00001