Merge pull request #1225 from kermitt2/alert-autofix-39

Fix code scanning alert no. 39: Arbitrary file access during archive extraction ("Zip Slip")
kermitt2 · Jan 10, 2025 · f6ac80f · f6ac80f
2 parents 2ab61a6 + 1c1df62
commit f6ac80f
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/grobid-core/src/main/java/org/grobid/core/main/GrobidHomeFinder.java b/grobid-core/src/main/java/org/grobid/core/main/GrobidHomeFinder.java
@@ -173,7 +173,10 @@ private static List<Path> unzip(InputStream is, File destinationDir) throws IOEx
         ZipInputStream zipIn = new ZipInputStream(is);
         ZipEntry entry = zipIn.getNextEntry();
         while (entry != null) {
-            File filePath = new File(destinationDir, entry.getName());
+            File filePath = new File(destinationDir, entry.getName()).toPath().normalize().toFile();
+            if (!filePath.toPath().startsWith(destinationDir.toPath())) {
+                throw new IOException("Bad zip entry: " + entry.getName());
+            }
             try {
                 if (!entry.isDirectory()) {
                     String absolutePath = filePath.getAbsolutePath();