[SECURITY] Fix Zip Slip Vulnerability (#198)

diffplug · Aug 9, 2022 · 25f04f6 · 25f04f6
2 parents fe20831 + 6434749
commit 25f04f6
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/main/java/com/diffplug/gradle/ZipMisc.java b/src/main/java/com/diffplug/gradle/ZipMisc.java
@@ -178,6 +178,9 @@ public static void unzip(File input, File destinationDir) throws IOException {
 			ZipEntry entry;
 			while ((entry = zipInput.getNextEntry()) != null) {
 				File dest = new File(destinationDir, entry.getName());
+				if (!dest.toPath().normalize().startsWith(destinationDir.toPath().normalize())) {
+					throw new RuntimeException("Bad zip entry");
+				}
 				if (entry.isDirectory()) {
 					FileMisc.mkdirs(dest);
 				} else {