refactor: fix security issue on extracting sneaky tar files

camunda-community-hub · May 10, 2022 · 9d07eea · 9d07eea
1 parent e541df6
commit 9d07eea
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/src/main/java/io/zeebe/containers/archive/TarExtractor.java b/src/main/java/io/zeebe/containers/archive/TarExtractor.java
@@ -62,6 +62,14 @@ private void extractEntry(
     }
 
     final Path entryPath = destination.resolve(entry.getName());
+    if (!entryPath.normalize().startsWith(destination)) {
+      throw new IllegalStateException(
+          String.format(
+              "Expected to extract %s from TAR archive to the destination folder %s, but it would "
+                  + "be extracted outside to %s; make sure no entry contains `..` or the likes in "
+                  + "their name",
+              entry.getName(), destination, entryPath));
+    }
 
     if (entry.isDirectory()) {
       Files.createDirectories(entryPath);