#62 Canonical path fix #63
Conversation
zip slip fix. Both the path being compared and comparing should use getCanonicalPath
fix excepitons that may occur when adding files or folder with not normalized path
| @@ -41,13 +41,13 @@ protected long calculateTotalWork(AddFolderToZipTaskParameters taskParameters) t | |||
| return calculateWorkForFiles(filesToAdd, taskParameters.zipParameters); | |||
| } | |||
|
|
|||
| private void setDefaultFolderPath(AddFolderToZipTaskParameters taskParameters) { | |||
| private void setDefaultFolderPath(AddFolderToZipTaskParameters taskParameters) throws IOException { | |||
There was a problem hiding this comment.
Is it necessary to also change this method? I think just changing it above in AbstractExtractFileTask.java is enough?
There was a problem hiding this comment.
Currently this change will not work because the getDefaultFolderPath is only used when calling getRelativeFileName in my following change.
But this setDefaultFolderPath here will set default folder path to some path like /home/test/testDir/../testDir if I'm adding a folder with not normalized folder path. I think this may lead to some other exceptions if some other method calls getDefaultFolderPath in future.
I think it's better to fix it this time. What do you think?
| @@ -181,41 +181,46 @@ public static String getZipFileNameWithoutExtension(String zipFile) throws ZipEx | |||
| return splitZipFiles; | |||
| } | |||
|
|
|||
| public static String getRelativeFileName(String file, String rootFolderPath) { | |||
| public static String getRelativeFileName(String file, String rootFolderPath) throws ZipException { | |||
There was a problem hiding this comment.
Same comment as above also here: Is it necessary to also change this method? I think just changing it above in AbstractExtractFileTask.java is enough?
There was a problem hiding this comment.
This is necessary. Please refer to my following comment.
| zipFile.extractAll(new File(outputFolder.getPath(), | ||
| ".." + InternalZipConstants.FILE_SEPARATOR + outputFolder.getName()).getAbsolutePath()); | ||
| } catch (ZipException e) { | ||
| fail("Should not throw an exception"); |
There was a problem hiding this comment.
This is not necessary. If there is an exception, this method will fail anyway. Please remove the catch block.
| zipFile.addFile(fileToAddPath, parameters); | ||
| ZipFileVerifier.verifyZipFileByExtractingAllFiles(generatedZipFile, outputFolder, 13); | ||
| } catch (IOException e) { | ||
| fail("Should not throw an exception"); |
There was a problem hiding this comment.
This is not necessary. If there is an exception, this method will fail anyway. Please remove the catch block.
|
The changes in This test will throw an exception in Currently, the change in
if I'm adding a folder with not normalized folder path. I think this may lead to some other exceptions if some other method calls |
revert getCanonicalPath back to getPath in tests in commit srikanth-lingala#44. 19 occurrences in total need to be reverted
LeeYoung624
force-pushed
the
canonical_path_fix
branch
from
7cc6714
to
75de1a7
Compare
These Pull Requests contain the following content:
1.fix zip slip in issue #62
2.revert getCanonicalPath back to getPath in commit #44 (19 occurrences in total)
3.fix exceptions in adding files caused by not normalized file path. Including:
(1) fix
getRelativeFileNamein FileUtils.java by changing inputfileandrootFolderPathinto canonical path. Throw new ZipException when catch IOException thrown by getCanonicalPath()(2) adding new testcase
testUnzipFileZipSlipWithNotNormalizedTargetin MiscZipFileIT.java for thisI also checked all the occurrences of
getPath()andgetAbsolutePath(). I think they are working correctly and would not cause exceptions right now. Maybe changing all of them togetCanonicalPath()is a good idea, but I'm not sure about this.