Merge pull request #3482 from daniel-beck/zip-slip-tar

[JENKINS-51777] Don't let tar entries escape target dir
jenkinsci · Jun 9, 2018 · 1afd9f8 · 1afd9f8
2 parents ee384ba + 7438abb
commit 1afd9f8
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/core/src/main/java/hudson/FilePath.java b/core/src/main/java/hudson/FilePath.java
@@ -2602,6 +2602,10 @@ private void readFromTar(String name, File baseDir, InputStream in) throws IOExc
             TarArchiveEntry te;
             while ((te = t.getNextTarEntry()) != null) {
                 File f = new File(baseDir, te.getName());
+                if (!f.toPath().normalize().startsWith(baseDir.toPath())) {
+                    throw new IOException(
+                            "Tar " + name + " contains illegal file name that breaks out of the target directory: " + te.getName());
+                }
                 if (te.isDirectory()) {
                     mkdirs(f);
                 } else {