Compare paths when extracting an archive with the canonical destinati…

…on directory Commit 93d77ff introduced a check that files extracted from a tar archive will not be written outside of the destination directory. Unfortunately it also introduced a regression prventing the extraction of any tar archive when the path to the destination directory contains a symbolic link. For example on a jenkins agent where /var/lib/jenkins is a symbolic link to /data/jenkins and a job tries to extact nodejs to /var/lib/jenkins/workspace/example-project/target/node/tmp. The old code would then check if canonical path to a tar entry like /data/jenkins/workspace/example-project/target/node/tmp/XXX starts with /var/lib/jenkins/workspace/example-project/target/node/tmp which always fails. This commit compares the canonical extraction paths of the tar entries with the canonical path of the destination directory, which fixes the regression and still checks that no file is extracted outside of the destination directory.
eirslett · May 17, 2019 · 6175368 · 6175368
1 parent f807c40
commit 6175368
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/...n-core/src/main/java/com/github/eirslett/maven/plugins/frontend/lib/ArchiveExtractor.java b/...n-core/src/main/java/com/github/eirslett/maven/plugins/frontend/lib/ArchiveExtractor.java
@@ -104,13 +104,14 @@ public void extract(String archive, String destinationDirectory) throws ArchiveE
                     tarIn = new TarArchiveInputStream(new GzipCompressorInputStream(fis));
 
                     TarArchiveEntry tarEntry = tarIn.getNextTarEntry();
+                    String canonicalDestinationDirectory = new File(destinationDirectory).getCanonicalPath();
                     while (tarEntry != null) {
                         // Create a file for this tarEntry
                         final File destPath = new File(destinationDirectory + File.separator + tarEntry.getName());
                         prepDestination(destPath, tarEntry.isDirectory());
-                        if (!destPath.getCanonicalPath().startsWith(destinationDirectory)) {
+                        if (!destPath.getCanonicalPath().startsWith(canonicalDestinationDirectory)) {
                              throw new IOException(
-                                 "Expanding " + tarEntry.getName() + " would create file outside of " + destinationDirectory
+                                 "Expanding " + tarEntry.getName() + " would create file outside of " + canonicalDestinationDirectory
                              );
                         }
                         if (!tarEntry.isDirectory()) {