This is an automated email from the ASF dual-hosted git repository. fmariani pushed a commit to branch camel-spring-boot-4.0.0-branch in repository https://gitbox.apache.org/repos/asf/camel-spring-boot.git
commit 3c4771821a3a1a82ff8d31f9b9b46349fb5651a5 Author: Tom Cunningham <[email protected]> AuthorDate: Fri Oct 27 07:55:44 2023 -0400 Add a check for path traversal for SAST tests (#990) --- .../dataformat/zipfile/springboot/ZipFileDataFormatTest.java | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/components-starter/camel-zipfile-starter/src/test/java/org/apache/camel/dataformat/zipfile/springboot/ZipFileDataFormatTest.java b/components-starter/camel-zipfile-starter/src/test/java/org/apache/camel/dataformat/zipfile/springboot/ZipFileDataFormatTest.java index 1e5ddaa0902..63236668b79 100644 --- a/components-starter/camel-zipfile-starter/src/test/java/org/apache/camel/dataformat/zipfile/springboot/ZipFileDataFormatTest.java +++ b/components-starter/camel-zipfile-starter/src/test/java/org/apache/camel/dataformat/zipfile/springboot/ZipFileDataFormatTest.java @@ -368,7 +368,17 @@ public class ZipFileDataFormatTest { public void process(Exchange exchange) throws Exception { ZipFile zfile = new ZipFile(new File("src/test/resources/hello.odt")); ZipEntry entry = new ZipEntry((String) exchange.getIn().getHeader(Exchange.FILE_NAME)); - File file = new File("hello_out", entry.getName()); + String outputDirectory = "hello_out"; + File file = new File(outputDirectory, entry.getName()); + + // Check for Path Traversal + File destDirectory = new File(outputDirectory); + String destCanonicalPath = destDirectory.getCanonicalPath(); + String outputCanonicalPath = file.getCanonicalPath(); + if (!outputCanonicalPath.startsWith(destCanonicalPath)) { + throw new Exception("Zip path traversal found, expected " + destCanonicalPath + " but found " + outputCanonicalPath); + } + if (entry.isDirectory()) { file.mkdirs(); } else {
