DGNum/Stirling-PDF
15
0
Fork 0
Code Issues 4 Pull requests 1 Projects Releases Packages Wiki Activity

Merge pull request #764 from Stirling-Tools/pixeebot/drip-2024-02-01-pixee-java/harden-zip-entry-paths

Browse source 
Introduced protections against "zip slip"  attacks
This commit is contained in:
Anthony Stirling 2024-02-01 22:50:55 +00:00 committed by GitHub
commit 86635f85b4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/main/java/stirling/software/SPDF/controller/api/pipeline/PipelineProcessor.java
View file

@ -1,5 +1,6 @@
package stirling.software.SPDF.controller.api.pipeline;
import io.github.pixee.security.ZipSecurity;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
@ -356,7 +357,7 @@ public class PipelineProcessor {
List<Resource> unzippedFiles = new ArrayList<>();
try (ByteArrayInputStream bais = new ByteArrayInputStream(data);
ZipInputStream zis = new ZipInputStream(bais)) {
ZipInputStream zis = ZipSecurity.createHardenedInputStream(bais)) {
ZipEntry entry;
while ((entry = zis.getNextEntry()) != null) {

3
src/main/java/stirling/software/SPDF/utils/FileToPdf.java
View file

@ -1,5 +1,6 @@
package stirling.software.SPDF.utils;
import io.github.pixee.security.ZipSecurity;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
@ -144,7 +145,7 @@ public class FileToPdf {
private static Path unzipAndGetMainHtml(byte[] fileBytes) throws IOException {
Path tempDirectory = Files.createTempDirectory("unzipped_");
try (ZipInputStream zipIn = new ZipInputStream(new ByteArrayInputStream(fileBytes))) {
try (ZipInputStream zipIn = ZipSecurity.createHardenedInputStream(new ByteArrayInputStream(fileBytes))) {
ZipEntry entry = zipIn.getNextEntry();
while (entry != null) {
Path filePath = tempDirectory.resolve(entry.getName());