From 1c1df628b26c822177346db54f005b14bb282ada Mon Sep 17 00:00:00 2001
From: Luca Foppiano <lfoppiano@users.noreply.github.com>
Date: Fri, 10 Jan 2025 10:07:31 +0100
Subject: [PATCH] Fix code scanning alert no. 39: Arbitrary file access during
 archive extraction ("Zip Slip")

Fix the possibility that someone would download a sneaky grobid home which will be used to write arbitrary files outside the designated temporary directory

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../src/main/java/org/grobid/core/main/GrobidHomeFinder.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/grobid-core/src/main/java/org/grobid/core/main/GrobidHomeFinder.java b/grobid-core/src/main/java/org/grobid/core/main/GrobidHomeFinder.java
index 3a3a0eb8d4..c0ef6e4ae0 100644
--- a/grobid-core/src/main/java/org/grobid/core/main/GrobidHomeFinder.java
+++ b/grobid-core/src/main/java/org/grobid/core/main/GrobidHomeFinder.java
@@ -173,7 +173,10 @@ private static List<Path> unzip(InputStream is, File destinationDir) throws IOEx
         ZipInputStream zipIn = new ZipInputStream(is);
         ZipEntry entry = zipIn.getNextEntry();
         while (entry != null) {
-            File filePath = new File(destinationDir, entry.getName());
+            File filePath = new File(destinationDir, entry.getName()).toPath().normalize().toFile();
+            if (!filePath.toPath().startsWith(destinationDir.toPath())) {
+                throw new IOException("Bad zip entry: " + entry.getName());
+            }
             try {
                 if (!entry.isDirectory()) {
                     String absolutePath = filePath.getAbsolutePath();