Merge branch 'zip-slip' into 'master'

Julien Poulton · Julien Poulton · commit b7439ea1f147 · 2018-12-12T15:32:23.000Z
Fix ZipSlip bug found by LGTM.com

See merge request codingame/game-engine!142
diff --git a/runner/src/main/java/com/codingame/gameengine/runner/Renderer.java b/runner/src/main/java/com/codingame/gameengine/runner/Renderer.java
@@ -139,6 +139,9 @@ private static List<Path> exportViewToWorkingDir(String sourceFolder, Path targe
                     String entryTail = name.substring(sourceFolder.length());
 
                     File f = new File(targetFolder + File.separator + entryTail);
+                    if (!f.toPath().normalize().startsWith(targetFolder)) {
+                        throw new IOException("Zip entry contained path traversal");
+                    }
                     if (entry.isDirectory()) {
                         f.mkdir();
                     } else {
