From: Ben Soares <b.soares@dundee.ac.uk>
Date: Thu, 6 Jun 2024 12:54:51 +0000 (+0100)
Subject: JAL-4072 Add zip-slip check in getdown
X-Git-Tag: Release_2_11_4_0~25^2~5
X-Git-Url: http://source.jalview.org/gitweb/?a=commitdiff_plain;h=58d8d12ca3bcc48b6aa0e766a3f56c250e13d1dc;p=jalview.git

JAL-4072 Add zip-slip check in getdown
---

diff --git a/getdown/lib/getdown-core.jar b/getdown/lib/getdown-core.jar
index abc2c7a..8c9e44b 100644
Binary files a/getdown/lib/getdown-core.jar and b/getdown/lib/getdown-core.jar differ
diff --git a/getdown/lib/getdown-launcher-local.jar b/getdown/lib/getdown-launcher-local.jar
index 368c124..a3528ac 100644
Binary files a/getdown/lib/getdown-launcher-local.jar and b/getdown/lib/getdown-launcher-local.jar differ
diff --git a/getdown/lib/getdown-launcher.jar b/getdown/lib/getdown-launcher.jar
index 3e0cb62..f803c4f 100644
Binary files a/getdown/lib/getdown-launcher.jar and b/getdown/lib/getdown-launcher.jar differ
diff --git a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java
index 4ead59b..c907e51 100644
--- a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java
+++ b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/tools/Patcher.java
@@ -129,6 +129,9 @@ public class Patcher
     {
         File target = new File(appdir, path);
         File patch = new File(appdir, entry.getName());
+        if (!patch.toPath().normalize().startsWith(appdir.toPath().normalize())) {
+          throw new RuntimeException("Bad zip entry");
+        }
         File otarget = new File(appdir, path + ".old");
         JarDiffPatcher patcher = null;
 
diff --git a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java
index bba6c44..e4a752b 100644
--- a/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java
+++ b/getdown/src/getdown/core/src/main/java/com/threerings/getdown/util/FileUtil.java
@@ -140,7 +140,9 @@ public class FileUtil
         while (entries.hasMoreElements()) {
             JarEntry entry = (JarEntry)entries.nextElement();
             File efile = new File(target, entry.getName());
-
+            if (!efile.toPath().normalize().startsWith(target.toPath().normalize())) {
+              throw new IOException("Bad zip entry");
+            }
             // if we're unpacking a normal jar file, it will have special path
             // entries that allow us to create our directories first
             if (entry.isDirectory()) {
diff --git a/j11lib/getdown-core.jar b/j11lib/getdown-core.jar
index abc2c7a..8c9e44b 100644
Binary files a/j11lib/getdown-core.jar and b/j11lib/getdown-core.jar differ
diff --git a/j8lib/getdown-core.jar b/j8lib/getdown-core.jar
index abc2c7a..8c9e44b 100644
Binary files a/j8lib/getdown-core.jar and b/j8lib/getdown-core.jar differ