fix security problem as the CI alerts

apache · Mar 3, 2023 · 38a0aad · 38a0aad
1 parent a664be2
commit 38a0aad
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/.../main/java/org/apache/hugegraph/backend/store/raft/compress/ParallelCompressStrategy.java b/.../main/java/org/apache/hugegraph/backend/store/raft/compress/ParallelCompressStrategy.java
@@ -23,6 +23,7 @@
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
+import java.io.IOException;
 import java.io.InputStream;
 import java.nio.file.Paths;
 import java.util.Enumeration;
@@ -204,6 +205,11 @@ private void unZipFile(final ZipFile zipFile, final ZipArchiveEntry entry,
                            final String targetDir)
         throws Exception {
         final File targetFile = new File(Paths.get(targetDir, entry.getName()).toString());
+        if (!targetFile.toPath().normalize().startsWith(targetDir)) {
+            throw new IOException(String.format("Bad entry: %s",
+                                                entry.getName()));
+        }
+
         FileUtils.forceMkdir(targetFile.getParentFile());
         try (final InputStream is = zipFile.getInputStream(entry);
              final BufferedInputStream fis = new BufferedInputStream(is);