Upstream/bentobox
1
0
Fork 0
mirror of https://github.com/BentoBoxWorld/BentoBox.git synced 2024-06-30 08:44:55 +02:00
Code Issues Projects Releases Wiki Activity

Avoid zipSlip vulnerability.

Browse Source
This commit is contained in:
tastybento 2021-09-12 21:53:26 -07:00
parent 5b838d0668
commit bb7f124066
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/main/java/world/bentobox/bentobox/managers/BlueprintClipboardManager.java
View File

@ -192,6 +192,9 @@ public class BlueprintClipboardManager {
if (!entry.isDirectory()) {
unzipFiles(zipInputStream, filePath);
} else {
if (!filePath.startsWith(blueprintFolder.getAbsolutePath())) {
throw new IOException("Entry is outside of the target directory");
}
Files.createDirectories(filePath);
}
@ -202,6 +205,9 @@ public class BlueprintClipboardManager {
}
private void unzipFiles(final ZipInputStream zipInputStream, final Path unzipFilePath) throws IOException {
if (!unzipFilePath.toAbsolutePath().toString().startsWith(blueprintFolder.getAbsolutePath())) {
throw new IOException("Entry is outside of the target directory");
}
try (BufferedOutputStream bos = new BufferedOutputStream(new FileOutputStream(unzipFilePath.toAbsolutePath().toString()))) {
byte[] bytesIn = new byte[1024];
int read;