[jira] [Commented] (MWRAPPER-21) Arbitrary file write during archive extraction ("Zip Slip") in wrapper

Michael Osipov (Jira) Sun, 12 Dec 2021 03:48:05 -0800


    [ 
https://issues.apache.org/jira/browse/MWRAPPER-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457922#comment-17457922
 ]


Michael Osipov commented on MWRAPPER-21:
----------------------------------------

If this is fixed, why is this issue not closed?

> Arbitrary file write during archive extraction ("Zip Slip") in wrapper
> ----------------------------------------------------------------------
>
>                 Key: MWRAPPER-21
>                 URL: https://issues.apache.org/jira/browse/MWRAPPER-21
>             Project: Maven Wrapper
>          Issue Type: Bug
>          Components: Maven Wrapper Jar
>    Affects Versions: 0.5.6
>            Reporter: Sylwester Lachiewicz
>            Assignee: Robert Scholte
>            Priority: Major
>
> In Maven Wrapper Installer 
> [https://github.com/apache/maven/blob/ef8c95eb397651e10f677763dfcd9c8cea7c27b0/maven-wrapper/src/main/java/org/apache/maven/wrapper/Installer.java]
>   
> {code:java}
>  ZipEntry entry = entries.nextElement();
>  if ( entry.isDirectory() )
>  {
>   continue;
>  }
>  Path targetFile = dest.resolve( entry.getName() );
> // Unsanitized archive entry, which may contain '..', is used in a file 
> system operation.
>   // prevent Zip Slip
> if ( targetFile.startsWith( dest ) ) 
> {
>    Files.createDirectories( targetFile.getParent() );
>    Files.copy( zipFile.getInputStream( entry ), targetFile );
> }
> {code}
>  
>  Found via LGTM.com scan



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (MWRAPPER-21) Arbitrary file write during archive extraction ("Zip Slip") in wrapper

Reply via email to