-
Notifications
You must be signed in to change notification settings - Fork 310
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#62 Canonical path fix #63
#62 Canonical path fix #63
Conversation
zip slip fix. Both the path being compared and comparing should use getCanonicalPath
fix excepitons that may occur when adding files or folder with not normalized path
@@ -41,13 +41,13 @@ protected long calculateTotalWork(AddFolderToZipTaskParameters taskParameters) t | |||
return calculateWorkForFiles(filesToAdd, taskParameters.zipParameters); | |||
} | |||
|
|||
private void setDefaultFolderPath(AddFolderToZipTaskParameters taskParameters) { | |||
private void setDefaultFolderPath(AddFolderToZipTaskParameters taskParameters) throws IOException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it necessary to also change this method? I think just changing it above in AbstractExtractFileTask.java
is enough?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently this change will not work because the getDefaultFolderPath
is only used when calling getRelativeFileName
in my following change.
But this setDefaultFolderPath
here will set default folder path to some path like /home/test/testDir/../testDir
if I'm adding a folder with not normalized folder path. I think this may lead to some other exceptions if some other method calls getDefaultFolderPath
in future.
I think it's better to fix it this time. What do you think?
@@ -181,41 +181,46 @@ public static String getZipFileNameWithoutExtension(String zipFile) throws ZipEx | |||
return splitZipFiles; | |||
} | |||
|
|||
public static String getRelativeFileName(String file, String rootFolderPath) { | |||
public static String getRelativeFileName(String file, String rootFolderPath) throws ZipException { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment as above also here: Is it necessary to also change this method? I think just changing it above in AbstractExtractFileTask.java
is enough?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is necessary. Please refer to my following comment.
zipFile.extractAll(new File(outputFolder.getPath(), | ||
".." + InternalZipConstants.FILE_SEPARATOR + outputFolder.getName()).getAbsolutePath()); | ||
} catch (ZipException e) { | ||
fail("Should not throw an exception"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not necessary. If there is an exception, this method will fail anyway. Please remove the catch block.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure
zipFile.addFile(fileToAddPath, parameters); | ||
ZipFileVerifier.verifyZipFileByExtractingAllFiles(generatedZipFile, outputFolder, 13); | ||
} catch (IOException e) { | ||
fail("Should not throw an exception"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not necessary. If there is an exception, this method will fail anyway. Please remove the catch block.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure
The changes in
This test will throw an exception in Currently, the change in
if I'm adding a folder with not normalized folder path. I think this may lead to some other exceptions if some other method calls |
revert getCanonicalPath back to getPath in tests in commit srikanth-lingala#44. 19 occurrences in total need to be reverted
7cc6714
to
75de1a7
Compare
These Pull Requests contain the following content:
1.fix zip slip in issue #62
2.revert getCanonicalPath back to getPath in commit #44 (19 occurrences in total)
3.fix exceptions in adding files caused by not normalized file path. Including:
(1) fix
getRelativeFileName
in FileUtils.java by changing inputfile
androotFolderPath
into canonical path. Throw new ZipException when catch IOException thrown by getCanonicalPath()(2) adding new testcase
testUnzipFileZipSlipWithNotNormalizedTarget
in MiscZipFileIT.java for thisI also checked all the occurrences of
getPath()
andgetAbsolutePath()
. I think they are working correctly and would not cause exceptions right now. Maybe changing all of them togetCanonicalPath()
is a good idea, but I'm not sure about this.