diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java index 6aed21164b1..47254781f27 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java @@ -107,6 +107,9 @@ public static void extractFiles(File archive, File extractTo, Engine engine) thr } } else { final File file = new File(extractTo, entry.getName()); + if (!file.toPath().normalize().startsWith(extractTo.toPath().normalize())) { + throw new RuntimeException("Bad zip entry"); + } if (engine == null || engine.accept(file)) { BufferedOutputStream bos = null; FileOutputStream fos; diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java index 652dc6e6023..d3d6056ead8 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java @@ -17,11 +17,7 @@ */ package org.owasp.dependencycheck.data.nvdcve; -import java.io.BufferedInputStream; -import java.io.BufferedOutputStream; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileOutputStream; +import java.io.*; import java.util.zip.ZipEntry; import java.util.zip.ZipInputStream; import org.junit.Before; @@ -72,6 +68,9 @@ public static void ensureDBExists() throws Exception { BufferedOutputStream dest = null; try { File o = new File(dataPath, entry.getName()); + if (!o.toPath().normalize().startsWith(dataPath.toPath().normalize())) { + throw new IOException("Bad zip entry"); + } o.createNewFile(); fos = new FileOutputStream(o, false); dest = new BufferedOutputStream(fos, BUFFER_SIZE);