Merge pull request #764 from Stirling-Tools/pixeebot/drip-2024-02-01-pixee-java/harden-zip-entry-paths

Introduced protections against "zip slip"  attacks

src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java

@@ -1,5 +1,6 @@
 package stirling.software.SPDF.controller.api.pipeline;
 
+import io.github.pixee.security.ZipSecurity;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
@@ -356,7 +357,7 @@ public class PipelineProcessor {
         List<Resource> unzippedFiles = new ArrayList<>();
 
         try (ByteArrayInputStream bais = new ByteArrayInputStream(data);
-                ZipInputStream zis = new ZipInputStream(bais)) {
+                ZipInputStream zis = ZipSecurity.createHardenedInputStream(bais)) {
 
             ZipEntry entry;
             while ((entry = zis.getNextEntry()) != null) {

src/main/java/stirling/software/SPDF/utils/FileToPdf.java

@@ -1,5 +1,6 @@
 package stirling.software.SPDF.utils;
 
+import io.github.pixee.security.ZipSecurity;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
@@ -144,7 +145,7 @@ public class FileToPdf {
 
     private static Path unzipAndGetMainHtml(byte[] fileBytes) throws IOException {
         Path tempDirectory = Files.createTempDirectory("unzipped_");
-        try (ZipInputStream zipIn = new ZipInputStream(new ByteArrayInputStream(fileBytes))) {
+        try (ZipInputStream zipIn = ZipSecurity.createHardenedInputStream(new ByteArrayInputStream(fileBytes))) {
             ZipEntry entry = zipIn.getNextEntry();
             while (entry != null) {
                 Path filePath = tempDirectory.resolve(entry.getName());