Skip to content

Layertools may extract entries outside of the destination path #25505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Layertools may extract entries outside of the destination path #25505

wants to merge 1 commit into from

Conversation

trgpa
Copy link
Contributor

@trgpa trgpa commented Mar 5, 2021

The check for subdirectory in ExtractCommand.java will always return true because getAbsolutePath does not resolve .. and symlinks.
This PR uses getCanonicalPath and adds a file separator at the end of destination path to avoid treating directories with the same prefix as subdirectories (e.g /foo, /foobar).

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 5, 2021
@wilkinsona
Copy link
Member

Thanks for the proposal but I am not sure that this change is necessary due to this existing line:

spring-boot/spring-boot-project/spring-boot-tools/spring-boot-jarmode-layertools/src/main/java/org/springframework/boot/jarmode/layertools/ExtractCommand.java

Line 89 in 9d11781

String path = StringUtils.cleanPath(entry.getName());

Cleaning the path should resolve any .. entries. If you've seen a scenario where this isn't sufficient, perhaps you could add a test demonstrating the problem?

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Mar 5, 2021
@wilkinsona
Copy link
Member

No, it is necessary. For example, the path for a e/../../../../../e.jar entry in the jar becomes ../../../../e.jar.

@wilkinsona wilkinsona added type: bug A general bug and removed status: waiting-for-feedback We need additional information before we can continue status: waiting-for-triage An issue we've not yet triaged labels Mar 5, 2021
@wilkinsona wilkinsona added this to the 2.3.x milestone Mar 5, 2021
@wilkinsona wilkinsona changed the title Prevent extracting zip entries outside of destination path in layertools Layertools may extract entries outside of the destination path Mar 5, 2021
@wilkinsona wilkinsona mentioned this pull request Mar 5, 2021
Closed
wilkinsona pushed a commit that referenced this pull request Mar 5, 2021
@trgpa @wilkinsona
Prevent extracting zip entries outside of destination path
2993e68 
See gh-25505
wilkinsona added a commit that referenced this pull request Mar 5, 2021
@wilkinsona
Polish "Prevent extracting zip entries outside of destination path"
c6ca7a5 
See gh-25505
@wilkinsona wilkinsona closed this in 1ac9b3f Mar 5, 2021
@wilkinsona wilkinsona modified the milestones: 2.3.x, 2.3.10 Mar 5, 2021
@wilkinsona
Copy link
Member

Thanks very much for making your first contribution to Spring Boot, @trungPa.

@trgpa trgpa deleted the jarmode-layertools branch March 5, 2021 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
type: bug A general bug
Projects
None yet
Milestone
2.3.10
Development

Successfully merging this pull request may close these issues.
3 participants
@trgpa @wilkinsona @spring-projects-issues