import java.util.Optional;
import java.util.Set;
import java.util.zip.ZipEntry;
+import java.util.zip.ZipException;
import java.util.zip.ZipInputStream;
public class CommonUtil {
String currentEntryName;
while ((zipEntry = inputZipStream.getNextEntry()) != null) {
+ assertEntryNotVulnerable(zipEntry);
currentEntryName = zipEntry.getName();
- // else, get the file content (as byte array) and save it in a map.
fileByteContent = FileUtils.toByteArray(inputZipStream);
int index = lastIndexFileSeparatorIndex(currentEntryName);
return new ImmutablePair<>(mapFileContent, folderList);
}
+ private static void assertEntryNotVulnerable(ZipEntry entry) throws ZipException {
+ if (entry.getName().contains("../")) {
+ throw new ZipException("Path traversal attempt discovered.");
+ }
+ }
+
private static boolean isFile(String currentEntryName) {
return !(currentEntryName.endsWith("\\") || currentEntryName.endsWith("/"));
}
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.zip.ZipEntry;
+import java.util.zip.ZipException;
import java.util.zip.ZipInputStream;
import java.util.zip.ZipOutputStream;
if (zipFile == null || outputFolder == null) {
return;
}
- if (!outputFolder.toFile().exists()) {
- Files.createDirectories(outputFolder);
- }
+ createDirectoryIfNotExists(outputFolder);
try (FileInputStream fileInputStream = new FileInputStream(zipFile.toFile());
- ZipInputStream zis = new ZipInputStream(fileInputStream)) {
- ZipEntry ze = zis.getNextEntry();
- while (ze != null) {
- String fileName = ze.getName();
+ ZipInputStream stream = new ZipInputStream(fileInputStream)) {
+
+ ZipEntry entry;
+ while ((entry = stream.getNextEntry()) != null) {
+ assertEntryNotVulnerable(entry);
+ String fileName = entry.getName();
File newFile = new File(outputFolder.toString() + File.separator + fileName);
- if (ze.isDirectory()) {
- Path path = newFile.toPath();
- if (!path.toFile().exists()) {
- Files.createDirectories(path);
- }
+ if (entry.isDirectory()) {
+ createDirectoryIfNotExists(newFile.toPath());
} else {
- new File(newFile.getParent()).mkdirs();
- try (FileOutputStream fos = new FileOutputStream(newFile)) {
- ByteStreams.copy(zis, fos);
- }
+ persistFile(stream, newFile);
}
- ze = zis.getNextEntry();
}
+ }
+
+ }
- zis.closeEntry();
+ private static void persistFile(ZipInputStream stream, File newFile) throws IOException {
+ new File(newFile.getParent()).mkdirs();
+ try (FileOutputStream outputStream = new FileOutputStream(newFile)) {
+ ByteStreams.copy(stream, outputStream);
}
+ }
+ private static void createDirectoryIfNotExists(Path path) throws IOException {
+ if (!path.toFile().exists()) {
+ Files.createDirectories(path);
+ }
+ }
+
+ private static void assertEntryNotVulnerable(ZipEntry entry) throws ZipException {
+ if (entry.getName().contains("../")) {
+ throw new ZipException("Path traversal attempt discovered.");
+ }
}
}