Fix zipslip vulnerability (#3366)

Thanks to The Snyk security team for bringing this up to our attention.
googleapis · Jun 11, 2018 · fad70bd · fad70bd
1 parent ccfdd61
commit fad70bd
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/...-clients/google-cloud-core/src/main/java/com/google/cloud/testing/BaseEmulatorHelper.java b/...-clients/google-cloud-core/src/main/java/com/google/cloud/testing/BaseEmulatorHelper.java
@@ -404,8 +404,13 @@ private Path downloadEmulator() throws IOException {
           log.fine("Unzipping emulator");
         }
         ZipEntry entry = zipIn.getNextEntry();
-        while (entry != null) {
-          File filePath = new File(emulatorPath.toFile(), entry.getName());
+        while (entry != null) { 
+          File filePath = new File(emulatorFolder, entry.getName());
+          String canonicalEmulatorFolderPath = emulatorFolder.getCanonicalPath();
+          String canonicalFilePath = filePath.getCanonicalPath();
+          if (!canonicalFilePath.startsWith(canonicalEmulatorFolderPath + File.separator)) {
+            throw new IllegalStateException("Entry is outside of the target dir: " + entry.getName());
+          }
           if (!entry.isDirectory()) {
             extractFile(zipIn, filePath);
           } else {