Protection against arbitrary file write during archive extraction

Author: derrop

cloudnet-core/src/main/java/de/dytanic/cloudnetcore/web/api/v1/WebsiteDeployment.java

@@ -15,6 +15,7 @@
 
 import java.io.*;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -136,6 +137,11 @@ public FullHttpResponse post(ChannelHandlerContext channelHandlerContext,
 
     private void extractEntry(ZipFile zipFile, ZipEntry entry, String destDir) throws IOException {
         File file = new File(destDir, entry.getName());
+
+        if (!file.toPath().normalize().startsWith(Paths.get(destDir))) {
+            return;
+        }
+
         final byte[] BUFFER = new byte[0xFFFF];
 
         if (entry.isDirectory()) {

cloudnet-wrapper/src/main/java/de/dytanic/cloudnetwrapper/network/packet/in/PacketInCreateTemplate.java

@@ -199,6 +199,11 @@ public void handleInput(Document data, PacketSender packetSender) {
 
     private void extractEntry(ZipFile zipFile, ZipEntry entry, String destDir) throws IOException {
         File file = new File(destDir, entry.getName());
+
+        if (!file.toPath().normalize().startsWith(Paths.get(destDir))) {
+            return;
+        }
+
         final byte[] BUFFER = new byte[0xFFFF];
 
         if (entry.isDirectory()) {

cloudnet-wrapper/src/main/java/de/dytanic/cloudnetwrapper/server/CloudGameServer.java

@@ -513,6 +513,11 @@ public Process getInstance() {
 
     private void extractEntry(ZipFile zipFile, ZipEntry entry, String destDir) throws IOException {
         File file = new File(destDir, entry.getName());
+
+        if (!file.toPath().normalize().startsWith(Paths.get(destDir))) {
+            return;
+        }
+
         final byte[] BUFFER = new byte[0xFFFF];
 
         if (entry.isDirectory()) {