Protect against malicious archives by validating destination. See https://githuib.com/ebresie/python4nb/issues/2

ebresie · ebresie · commit 188f3fbafdd6 · 2022-08-27T10:14:44.000-05:00
diff --git a/src/main/java/org/apache/netbeans/modules/python4nb/util/FileUtils.java b/src/main/java/org/apache/netbeans/modules/python4nb/util/FileUtils.java
@@ -382,6 +382,11 @@ public static String decompressTarGz(File archive, File destination, boolean ski
                     name = name.substring(archiveRootLength);
                 }
                 File destPath = new File(destination, name);
+                /* Protect against malicious archives by validating destination. 
+                See https://githuib.com/ebresie/python4nb/issues/2 */
+                if (!destPath.toPath().normalize().startsWith(destination.toPath())) {
+                    throw new IOException("Bad archive entry");
+                }
                 if (tarEntry.isDirectory()) {
                     if (!destPath.isDirectory()
                             && !destPath.mkdirs()) {
