Fix zip slip vulnerability (CCSDK-3376)

Check and enforce canonical destination path of new file to resolve zip
slip vulnerability in 'DaeximOffsiteBackupProvider.java'

Issue-ID: CCSDK-3376
Signed-off-by: Jonathan Platt <jonathan.platt@att.com>
Change-Id: I249752d7a8bb1a8075502b5130f94c32986ab8ee

diff --git a/northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java b/northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java
index 3d32c7d..8abefb7 100755 (executable)
--- a/northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java
+++ b/northbound/daexim-offsite-backup/provider/src/main/java/org/onap/ccsdk/sli/northbound/daeximoffsitebackup/DaeximOffsiteBackupProvider.java
@@ -333,6 +333,10 @@ public class DaeximOffsiteBackupProvider implements AutoCloseable, DaeximOffsite
         while(zipEntry != null){
             String fileName = zipEntry.getName();
             File newFile = new File(DAEXIM_DIR + fileName);
+            // To remediate zip slip vulnerability, ensure file has the expected canonical path
+            if (!newFile.getCanonicalPath().startsWith(DAEXIM_DIR)) {
+                throw new IOException("Entry is outside of the target directory");
+            }
             FileOutputStream fos = new FileOutputStream(newFile);
             int len;
             while ((len = zis.read(bytes)) > 0) {