From fad70bdfdbc88e5c2ddf13be7085a7e9963f66c8 Mon Sep 17 00:00:00 2001
From: Hanzhen Yi <33737743+hzyi-google@users.noreply.github.com>
Date: Mon, 11 Jun 2018 16:42:04 -0700
Subject: [PATCH] Fix zipslip vulnerability (#3366)

Thanks to The Snyk security team for bringing this up to our attention.
---
 .../com/google/cloud/testing/BaseEmulatorHelper.java     | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/google-cloud-clients/google-cloud-core/src/main/java/com/google/cloud/testing/BaseEmulatorHelper.java b/google-cloud-clients/google-cloud-core/src/main/java/com/google/cloud/testing/BaseEmulatorHelper.java
index b8f7be44874f..2f90f596467a 100644
--- a/google-cloud-clients/google-cloud-core/src/main/java/com/google/cloud/testing/BaseEmulatorHelper.java
+++ b/google-cloud-clients/google-cloud-core/src/main/java/com/google/cloud/testing/BaseEmulatorHelper.java
@@ -404,8 +404,13 @@ private Path downloadEmulator() throws IOException {
           log.fine("Unzipping emulator");
         }
         ZipEntry entry = zipIn.getNextEntry();
-        while (entry != null) {
-          File filePath = new File(emulatorPath.toFile(), entry.getName());
+        while (entry != null) { 
+          File filePath = new File(emulatorFolder, entry.getName());
+          String canonicalEmulatorFolderPath = emulatorFolder.getCanonicalPath();
+          String canonicalFilePath = filePath.getCanonicalPath();
+          if (!canonicalFilePath.startsWith(canonicalEmulatorFolderPath + File.separator)) {
+            throw new IllegalStateException("Entry is outside of the target dir: " + entry.getName());
+          }
           if (!entry.isDirectory()) {
             extractFile(zipIn, filePath);
           } else {