Merge pull request #904 from rneatherway/zipslip-fix

Java: Add a flow step for `Path::toFile` in ZipSlip
2026-04-26 17:25:19 +02:00 · 2019-02-11 13:08:38 +01:00
parent 10b00254ec 409733838b
commit 52ad816074
3 changed files with 12 additions and 0 deletions
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java
@@ -51,4 +51,13 @@ public class ZipTest {
      throw new Exception();
    FileOutputStream os = new FileOutputStream(file); // OK
  }
+
+  public void m6(ZipEntry entry, Path dir) {
+    String canonicalDest = dir.toFile().getCanonicalPath();
+    Path target = dir.resolve(entry.getName());
+    String canonicalTarget = target.toFile().getCanonicalPath();
+    if (!canonicalTarget.startsWith(canonicalDest + File.separator))
+      throw new Exception();
+    OutputStream os = Files.newOutputStream(target); // OK
+  }
 }