From ec7c03a9ee374f173acec70ae2a013e2f33a5217 Mon Sep 17 00:00:00 2001
From: fit2cloud-chenyw <yawen.chen@fit2cloud.com>
Date: Sat, 5 Feb 2022 23:49:52 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E8=A7=A3=E5=8E=8Bzip=E6=9C=AA=E5=88=A4?=
 =?UTF-8?q?=E6=96=AD=E5=AD=90=E7=9B=AE=E5=BD=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../io/dataease/commons/utils/ZipUtils.java   | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/backend/src/main/java/io/dataease/commons/utils/ZipUtils.java b/backend/src/main/java/io/dataease/commons/utils/ZipUtils.java
index 34c8549bdb..edcec34e1b 100644
--- a/backend/src/main/java/io/dataease/commons/utils/ZipUtils.java
+++ b/backend/src/main/java/io/dataease/commons/utils/ZipUtils.java
@@ -6,6 +6,8 @@ import java.util.zip.ZipEntry;
 import java.util.zip.ZipException;
 import java.util.zip.ZipFile;
 import java.util.zip.ZipInputStream;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 
 public class ZipUtils {
 
@@ -29,7 +31,7 @@ public class ZipUtils {
             ZipEntry ze = zis.getNextEntry();
             while (ze != null) {
                 String fileName = ze.getName();
-                File newFile = new File(outputFolder + File.separator + fileName);
+                File newFile = protectZipSlip(fileName, outputFolder);
                 //大部分网络上的源码，这里没有判断子目录
                 if (ze.isDirectory()) {
                     if (!newFile.mkdirs()) {
@@ -60,7 +62,7 @@ public class ZipUtils {
 
             while (entry != null) {
 
-                File file = new File(out, entry.getName());
+                File file = protectZipSlip(entry.getName(), out);
 
                 if (entry.isDirectory()) {
                     if (!file.mkdirs()) {
@@ -130,4 +132,17 @@ public class ZipUtils {
 
         }
     }
+    public static File protectZipSlip(String fileName, String destDir) throws IOException{
+        Path destPath = Paths.get(destDir);
+        Path resolvedDest = destPath.resolve(fileName);
+        Path normalizedPath = resolvedDest.normalize();
+
+        // checking whether zipEntry filename has changed the destination
+        if (!normalizedPath.startsWith(destDir)) {
+            throw new IOException("Malicious zip entry found: " + fileName);
+        }
+
+        File newFile = normalizedPath.toFile();
+        return newFile;
+    }
 }