Fixes tarslip issue (#3075)

deepjavalibrary · May 8, 2024 · 76598f9 · 76598f9
1 parent 32859b7
commit 76598f9
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 2 deletions.
diff --git a/api/src/main/java/ai/djl/util/TarUtils.java b/api/src/main/java/ai/djl/util/TarUtils.java
@@ -48,7 +48,7 @@ public static void untar(InputStream is, Path dir, boolean gzip) throws IOExcept
         try (TarArchiveInputStream tis = new TarArchiveInputStream(bis)) {
             TarArchiveEntry entry;
             while ((entry = tis.getNextEntry()) != null) {
-                String entryName = entry.getName();
+                String entryName = ZipUtils.removeLeadingFileSeparator(entry.getName());
                 if (entryName.contains("..")) {
                     throw new IOException("Malicious zip entry: " + entryName);
                 }

diff --git a/api/src/main/java/ai/djl/util/ZipUtils.java b/api/src/main/java/ai/djl/util/ZipUtils.java
@@ -52,7 +52,7 @@ public static void unzip(InputStream is, Path dest) throws IOException {
         ZipEntry entry;
         Set<String> set = new HashSet<>();
         while ((entry = zis.getNextEntry()) != null) {
-            String name = entry.getName();
+            String name = removeLeadingFileSeparator(entry.getName());
             if (name.contains("..")) {
                 throw new IOException("Malicious zip entry: " + name);
             }
@@ -121,6 +121,16 @@ private static void addToZip(Path root, Path file, ZipOutputStream zos) throws I
         }
     }
 
+    static String removeLeadingFileSeparator(String name) {
+        int index = 0;
+        for (; index < name.length(); index++) {
+            if (name.charAt(index) != File.separatorChar) {
+                break;
+            }
+        }
+        return name.substring(index);
+    }
+
     private static final class ValidationInputStream extends FilterInputStream {
 
         private static final int ZIP64_LOCSIG = 0x07064b50; // "PK\006\007"

diff --git a/api/src/test/java/ai/djl/util/ZipUtilsTest.java b/api/src/test/java/ai/djl/util/ZipUtilsTest.java
@@ -45,6 +45,19 @@ public void testEmptyZipFile() throws IOException {
         }
     }
 
+    @Test
+    public void testOffendingTar() throws IOException {
+        Path path = Paths.get("src/test/resources/offending.tar");
+        Path output = Paths.get("build/output");
+        Path file = output.resolve("tmp/empty.txt");
+        Utils.deleteQuietly(file);
+        Files.createDirectories(output);
+        try (InputStream is = Files.newInputStream(path)) {
+            TarUtils.untar(is, output, false);
+        }
+        Assert.assertTrue(Files.exists(file));
+    }
+
     @Test
     public void testInvalidZipFile() throws IOException {
         ByteArrayOutputStream bos = new ByteArrayOutputStream();

diff --git a/api/src/test/resources/offending.tar b/api/src/test/resources/offending.tar