karaf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbono...@apache.org
Subject [karaf] branch karaf-4.1.x updated: [KARAF-6090] kar extract ignores path containing .. relative
Date Tue, 15 Jan 2019 10:52:08 GMT
This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch karaf-4.1.x
in repository https://gitbox.apache.org/repos/asf/karaf.git


The following commit(s) were added to refs/heads/karaf-4.1.x by this push:
     new e36a7a6  [KARAF-6090] kar extract ignores path containing .. relative
e36a7a6 is described below

commit e36a7a66fa08eb5eb253b2b0cec262ffbdef0721
Author: Jean-Baptiste Onofré <jbonofre@apache.org>
AuthorDate: Mon Jan 14 14:06:20 2019 +0100

    [KARAF-6090] kar extract ignores path containing .. relative
---
 kar/pom.xml                                        |  7 ++
 .../java/org/apache/karaf/kar/internal/Kar.java    | 34 ++++++----
 .../org/apache/karaf/kar/internal/KarTest.java     | 79 ++++++++++++++++++++++
 3 files changed, 105 insertions(+), 15 deletions(-)

diff --git a/kar/pom.xml b/kar/pom.xml
index 280ce27..16d1fb1 100644
--- a/kar/pom.xml
+++ b/kar/pom.xml
@@ -75,6 +75,13 @@
             <artifactId>org.apache.karaf.shell.core</artifactId>
             <optional>true</optional>
         </dependency>
+
+        <!-- test -->
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/kar/src/main/java/org/apache/karaf/kar/internal/Kar.java b/kar/src/main/java/org/apache/karaf/kar/internal/Kar.java
index 601d97f..b1ac24d 100644
--- a/kar/src/main/java/org/apache/karaf/kar/internal/Kar.java
+++ b/kar/src/main/java/org/apache/karaf/kar/internal/Kar.java
@@ -115,23 +115,27 @@ public class Kar {
 
             ZipEntry entry = zipIs.getNextEntry();
             while (entry != null) {
-                if (entry.getName().startsWith("repository/")) {
-                    String path = entry.getName().substring("repository/".length());
-                    File destFile = new File(repoDir, path);
-                    extract(zipIs, entry, destFile);
-                    if (scanForRepos && featureDetector.isFeaturesRepository(destFile))
{
-                        Map map = new HashMap<>();
-                        String uri = Parser.pathToMaven(path, map);
-                        if (map.get("classifier") != null && ((String) map.get("classifier")).equalsIgnoreCase("features"))
-                            featureRepos.add(URI.create(uri));
-                        else featureRepos.add(destFile.toURI());
+                if (entry.getName().contains("..")) {
+                    LOGGER.warn("kar entry {} contains a .. relative path. For security reasons,
it's not allowed.", entry.getName());
+                } else {
+                    if (entry.getName().startsWith("repository/")) {
+                        String path = entry.getName().substring("repository/".length());
+                        File destFile = new File(repoDir, path);
+                        extract(zipIs, entry, destFile);
+                        if (scanForRepos && featureDetector.isFeaturesRepository(destFile))
{
+                            Map map = new HashMap<>();
+                            String uri = Parser.pathToMaven(path, map);
+                            if (map.get("classifier") != null && ((String) map.get("classifier")).equalsIgnoreCase("features"))
+                                featureRepos.add(URI.create(uri));
+                            else featureRepos.add(destFile.toURI());
+                        }
                     }
-                }
 
-                if (entry.getName().startsWith("resources/")) {
-                    String path = entry.getName().substring("resources/".length());
-                    File destFile = new File(resourceDir, path);
-                    extract(zipIs, entry, destFile);
+                    if (entry.getName().startsWith("resources/")) {
+                        String path = entry.getName().substring("resources/".length());
+                        File destFile = new File(resourceDir, path);
+                        extract(zipIs, entry, destFile);
+                    }
                 }
                 entry = zipIs.getNextEntry();
             }
diff --git a/kar/src/test/java/org/apache/karaf/kar/internal/KarTest.java b/kar/src/test/java/org/apache/karaf/kar/internal/KarTest.java
new file mode 100644
index 0000000..81c3838
--- /dev/null
+++ b/kar/src/test/java/org/apache/karaf/kar/internal/KarTest.java
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.karaf.kar.internal;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.net.URI;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipOutputStream;
+
+public class KarTest {
+
+    @Test
+    public void karExtractTest() throws Exception {
+        File base = new File("target/test");
+        base.mkdirs();
+
+        Kar kar = new Kar(new URI("http://repo1.maven.org/maven2/org/apache/karaf/features/framework/4.2.2/framework-4.2.2.kar"));
+        File repoDir = new File("target/test/framework-repo");
+        repoDir.mkdirs();
+        File resourcesDir = new File("target/test/framework-resources");
+        resourcesDir.mkdirs();
+
+        kar.extract(repoDir, resourcesDir);
+
+        File[] repoDirFiles = repoDir.listFiles();
+        Assert.assertEquals(1, repoDirFiles.length);
+        Assert.assertEquals("org", repoDirFiles[0].getName());
+        File[] resourceDirFiles = resourcesDir.listFiles();
+        Assert.assertEquals(6, resourceDirFiles.length);
+    }
+
+    @Test
+    public void badKarExtractTest() throws Exception {
+        File base = new File("target/test");
+        base.mkdirs();
+        File badKarFile = new File(base,"bad.kar");
+        ZipOutputStream zos = new ZipOutputStream(new FileOutputStream(badKarFile));
+        ZipEntry entry = new ZipEntry("../../../../foo.bar");
+        zos.putNextEntry(entry);
+
+        byte[] data = "Test Data".getBytes();
+        zos.write(data, 0, data.length);
+        zos.closeEntry();
+        zos.close();
+
+        Kar kar = new Kar(new URI("file:target/test/bad.kar"));
+        File repoDir = new File("target/test/repo");
+        repoDir.mkdirs();
+        File resourceDir = new File("target/test/resources");
+        resourceDir.mkdirs();
+        kar.extract(repoDir, resourceDir);
+
+        File[] repoDirFiles = repoDir.listFiles();
+        Assert.assertEquals(0, repoDirFiles.length);
+        File[] resourceDirFiles = resourceDir.listFiles();
+        Assert.assertEquals(0, resourceDirFiles.length);
+    }
+
+}


Mime
View raw message