From 2dfcca791a92a05528080ef98e7956500ed21856 Mon Sep 17 00:00:00 2001 From: sgrampone Date: Fri, 28 Nov 2025 15:12:06 -0300 Subject: [PATCH] Fix codeql findings on gxcompressor --- .../com/genexus/compression/GXCompressor.java | 108 +++++++++++------- 1 file changed, 66 insertions(+), 42 deletions(-) diff --git a/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java b/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java index 85b4ed934..0e60d2529 100644 --- a/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java +++ b/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java @@ -16,6 +16,8 @@ import java.io.*; import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; import java.util.ArrayList; import java.util.List; import java.util.Stack; @@ -584,23 +586,31 @@ private static void compressToJar(File[] files, String outputPath) throws IOExce private static void decompressZip(File archive, String directory) throws IOException { byte[] buffer = new byte[BUFFER_SIZE]; + final Path targetDir = Paths.get(directory).toAbsolutePath().normalize(); try (ZipInputStream zis = new ZipInputStream(Files.newInputStream(archive.toPath()))) { ZipEntry zipEntry; while ((zipEntry = zis.getNextEntry()) != null) { - File newFile = new File(directory, zipEntry.getName()); - if (zipEntry.isDirectory()) { - if (!newFile.isDirectory() && !newFile.mkdirs()) { - throw new IOException("Failed to create directory " + newFile); - } - } else { - File parent = newFile.getParentFile(); - if (!parent.isDirectory() && !parent.mkdirs()) { - throw new IOException("Failed to create directory " + parent); - } - try (FileOutputStream fos = new FileOutputStream(newFile)) { - int len; - while ((len = zis.read(buffer)) > 0) { - fos.write(buffer, 0, len); + Path entryPath = targetDir.resolve(zipEntry.getName()).normalize(); + if(!entryPath.startsWith(targetDir)) + { + log.error(DIRECTORY_ATTACK + "{}", zipEntry.getName()); + return; + }else { + File newFile = entryPath.toFile(); + if (zipEntry.isDirectory()) { + if (!newFile.isDirectory() && !newFile.mkdirs()) { + throw new IOException("Failed to create directory " + newFile); + } + } else { + File parent = newFile.getParentFile(); + if (!parent.isDirectory() && !parent.mkdirs()) { + throw new IOException("Failed to create directory " + parent); + } + try (FileOutputStream fos = new FileOutputStream(newFile)) { + int len; + while ((len = zis.read(buffer)) > 0) { + fos.write(buffer, 0, len); + } } } } @@ -610,23 +620,30 @@ private static void decompressZip(File archive, String directory) throws IOExcep private static void decompress7z(File archive, String directory) throws IOException { byte[] buffer = new byte[BUFFER_SIZE]; + final Path targetDir = Paths.get(directory).toAbsolutePath().normalize(); try (SevenZFile sevenZFile = new SevenZFile(archive)) { SevenZArchiveEntry entry; while ((entry = sevenZFile.getNextEntry()) != null) { - File newFile = new File(directory, entry.getName()); - if (entry.isDirectory()) { - if (!newFile.isDirectory() && !newFile.mkdirs()) { - throw new IOException("Failed to create directory " + newFile); - } - } else { - File parent = newFile.getParentFile(); - if (!parent.isDirectory() && !parent.mkdirs()) { - throw new IOException("Failed to create directory " + parent); - } - try (OutputStream out = Files.newOutputStream(newFile.toPath())) { - int bytesRead; - while ((bytesRead = sevenZFile.read(buffer)) != -1) { - out.write(buffer, 0, bytesRead); + Path entryPath = targetDir.resolve(entry.getName()).normalize(); + if(!entryPath.startsWith(targetDir)) { + log.error(DIRECTORY_ATTACK + "{}", entry.getName()); + return; + }else { + File newFile = entryPath.toFile(); + if (entry.isDirectory()) { + if (!newFile.isDirectory() && !newFile.mkdirs()) { + throw new IOException("Failed to create directory " + newFile); + } + } else { + File parent = newFile.getParentFile(); + if (!parent.isDirectory() && !parent.mkdirs()) { + throw new IOException("Failed to create directory " + parent); + } + try (OutputStream out = Files.newOutputStream(newFile.toPath())) { + int bytesRead; + while ((bytesRead = sevenZFile.read(buffer)) != -1) { + out.write(buffer, 0, bytesRead); + } } } } @@ -636,23 +653,30 @@ private static void decompress7z(File archive, String directory) throws IOExcept private static void decompressTar(File archive, String directory) throws IOException { byte[] buffer = new byte[BUFFER_SIZE]; + final Path targetDir = Paths.get(directory).toAbsolutePath().normalize(); try (TarArchiveInputStream tis = new TarArchiveInputStream(Files.newInputStream(archive.toPath()))) { TarArchiveEntry entry; while ((entry = tis.getNextEntry()) != null) { - File newFile = new File(directory, entry.getName()); - if (entry.isDirectory()) { - if (!newFile.isDirectory() && !newFile.mkdirs()) { - throw new IOException("Failed to create directory " + newFile); - } - } else { - File parent = newFile.getParentFile(); - if (!parent.isDirectory() && !parent.mkdirs()) { - throw new IOException("Failed to create directory " + parent); - } - try (OutputStream out = Files.newOutputStream(newFile.toPath())) { - int len; - while ((len = tis.read(buffer)) != -1) { - out.write(buffer, 0, len); + Path entryPath = targetDir.resolve(entry.getName()).normalize(); + if(!entryPath.startsWith(targetDir)) { + log.error(DIRECTORY_ATTACK + "{}", entry.getName()); + return; + }else { + File newFile = entryPath.toFile(); + if (entry.isDirectory()) { + if (!newFile.isDirectory() && !newFile.mkdirs()) { + throw new IOException("Failed to create directory " + newFile); + } + } else { + File parent = newFile.getParentFile(); + if (!parent.isDirectory() && !parent.mkdirs()) { + throw new IOException("Failed to create directory " + parent); + } + try (OutputStream out = Files.newOutputStream(newFile.toPath())) { + int len; + while ((len = tis.read(buffer)) != -1) { + out.write(buffer, 0, len); + } } } }