Skip to content

Layertools may extract entries outside of the destination path#25505

Closed
trgpa wants to merge 1 commit into
spring-projects:masterfrom
trgpa:jarmode-layertools
Closed

Layertools may extract entries outside of the destination path#25505
trgpa wants to merge 1 commit into
spring-projects:masterfrom
trgpa:jarmode-layertools

Conversation

@trgpa
Copy link
Copy Markdown
Contributor

@trgpa trgpa commented Mar 5, 2021

The check for subdirectory in ExtractCommand.java will always return true because getAbsolutePath does not resolve .. and symlinks.
This PR uses getCanonicalPath and adds a file separator at the end of destination path to avoid treating directories with the same prefix as subdirectories (e.g /foo, /foobar).

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 5, 2021
@wilkinsona
Copy link
Copy Markdown
Member

wilkinsona commented Mar 5, 2021

Thanks for the proposal but I am not sure that this change is necessary due to this existing line:

spring-boot/spring-boot-project/spring-boot-tools/spring-boot-jarmode-layertools/src/main/java/org/springframework/boot/jarmode/layertools/ExtractCommand.java

Line 89 in 9d11781

String path = StringUtils.cleanPath(entry.getName());

Cleaning the path should resolve any .. entries. If you've seen a scenario where this isn't sufficient, perhaps you could add a test demonstrating the problem?

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Mar 5, 2021
@wilkinsona
Copy link
Copy Markdown
Member

wilkinsona commented Mar 5, 2021

No, it is necessary. For example, the path for a e/../../../../../e.jar entry in the jar becomes ../../../../e.jar.

@wilkinsona wilkinsona added type: bug A general bug and removed status: waiting-for-feedback We need additional information before we can continue status: waiting-for-triage An issue we've not yet triaged labels Mar 5, 2021
@wilkinsona wilkinsona added this to the 2.3.x milestone Mar 5, 2021
@wilkinsona wilkinsona changed the title Prevent extracting zip entries outside of destination path in layertools Layertools may extract entries outside of the destination path Mar 5, 2021
@wilkinsona wilkinsona mentioned this pull request Mar 5, 2021
Closed
wilkinsona pushed a commit that referenced this pull request Mar 5, 2021
@trgpa @wilkinsona
Prevent extracting zip entries outside of destination path
2993e68 
See gh-25505
wilkinsona added a commit that referenced this pull request Mar 5, 2021
@wilkinsona
Polish "Prevent extracting zip entries outside of destination path"
c6ca7a5 
See gh-25505
@wilkinsona wilkinsona closed this in 1ac9b3f Mar 5, 2021
@wilkinsona wilkinsona modified the milestones: 2.3.x, 2.3.10 Mar 5, 2021
@wilkinsona
Copy link
Copy Markdown
Member

wilkinsona commented Mar 5, 2021

Thanks very much for making your first contribution to Spring Boot, @trungPa.

@trgpa trgpa deleted the jarmode-layertools branch March 5, 2021 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type: bug A general bug

Projects

None yet

Milestone

2.3.10

Development

Successfully merging this pull request may close these issues.

3 participants

@trgpa @wilkinsona @spring-projects-issues