Codeql detects zipslip vulnerability (open-telemetry#8209)

I think that the only way zipslip could happen is when name contains `..` but codeql isn't able to cope with that. Removing the `..` check gets rid of the code scanning alert.
breedx-splk · Apr 4, 2023 · e0ecb56 · e0ecb56
1 parent b52bad1
commit e0ecb56
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/javaagent-tooling/src/main/java/io/opentelemetry/javaagent/tooling/ExtensionClassLoader.java b/javaagent-tooling/src/main/java/io/opentelemetry/javaagent/tooling/ExtensionClassLoader.java
@@ -91,11 +91,10 @@ private static void includeEmbeddedExtensionsIfFound(
           File tempFile = new File(tempDirectory, name.substring(prefix.length()));
           // reject extensions that would be extracted outside of temp directory
           // https://security.snyk.io/research/zip-slip-vulnerability
-          if (name.indexOf("..") != -1
-              && !tempFile
-                  .getCanonicalFile()
-                  .toPath()
-                  .startsWith(tempDirectory.getCanonicalFile().toPath())) {
+          if (!tempFile
+              .getCanonicalFile()
+              .toPath()
+              .startsWith(tempDirectory.getCanonicalFile().toPath())) {
             throw new IllegalStateException("Invalid extension " + name);
           }
           if (tempFile.createNewFile()) {