You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The unzip APIs in better-files are vulnerable to a Zip entry path manipulation (see: https://snyk.io/research/zip-slip-vulnerability) . The library fails to check that the extracted file is going to be created under the destination folder.
A possible fix involves checking the normalized path of the final extracted file name and check that it starts with the destination path:
String canonicalDestinationDirPath = destinationDir.getCanonicalPath();
File destinationfile = new File(destinationDir, e.getName());
String canonicalDestinationFile = destinationfile.getCanonicalPath();
if (!canonicalDestinationFile.startsWith(canonicalDestinationDirPath + File.separator)) {
throw new ArchiverException("Entry is outside of the target dir: " + e.getName());
}
Cheers,
A
The text was updated successfully, but these errors were encountered:
Hi,
The unzip APIs in better-files are vulnerable to a Zip entry path manipulation (see: https://snyk.io/research/zip-slip-vulnerability) . The library fails to check that the extracted file is going to be created under the destination folder.
A possible fix involves checking the normalized path of the final extracted file name and check that it starts with the destination path:
Cheers,
A
The text was updated successfully, but these errors were encountered: