Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix traversal bug on extraction of bad jar/zip files during jetty-start #8688

Merged
merged 1 commit into from
Oct 6, 2022
Merged

Fix traversal bug on extraction of bad jar/zip files during jetty-start #8688

merged 1 commit into from
Oct 6, 2022

Conversation

joakime
Copy link
Contributor

@joakime joakime commented Oct 5, 2022

The jetty-start extraction of zip/jar files doesn't take into account traversal bugs in entries found in zip/jar files.

This PR fixes this for the jetty-start use case.

We already have similar protections in place for JarResource and SelectiveJarResource in jetty proper.

Signed-off-by: Joakim Erdfelt [email protected]

@joakime joakime added the Bug For general bugs on Jetty side label Oct 5, 2022
@joakime joakime requested a review from sbordet October 5, 2022 18:30
@joakime joakime self-assigned this Oct 5, 2022
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 5, 2022
View reviewed changes
jetty-start/src/main/java/org/eclipse/jetty/start/FS.java
@@ -198,7 +198,14 @@
continue;
}

Path destFile = destination.resolve(entry.getName());
String entryName = entry.getName();

Check failure

Code scanning / CodeQL

Arbitrary file write during archive extraction ("Zip Slip")

Unsanitized archive entry, which may contain '..', is used in a [file system operation](1).
@joakime joakime merged commit 5733ffc into jetty-10.0.x Oct 6, 2022
MarcelRaschke
MarcelRaschke reviewed Oct 8, 2022
View reviewed changes
Copy link

@MarcelRaschke MarcelRaschke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-s

@joakime joakime deleted the fix/jetty-10-start-extract-traversal branch October 8, 2022 01:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarcelRaschke MarcelRaschke MarcelRaschke left review comments

@sbordet sbordet sbordet approved these changes

@olamy olamy olamy approved these changes

Assignees

@joakime joakime

Labels
Bug For general bugs on Jetty side
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@joakime @olamy @sbordet @MarcelRaschke