From 9f0f513dd7b5fb25ca8fb3ccaa637ae9969c2817 Mon Sep 17 00:00:00 2001 From: Michael Barry Date: Sun, 3 Mar 2024 18:47:44 -0500 Subject: [PATCH] Safer natural earth unzip (#825) --- .../onthegomap/planetiler/reader/NaturalEarthReader.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/planetiler-core/src/main/java/com/onthegomap/planetiler/reader/NaturalEarthReader.java b/planetiler-core/src/main/java/com/onthegomap/planetiler/reader/NaturalEarthReader.java index 14ae862a82..2711fdb243 100644 --- a/planetiler-core/src/main/java/com/onthegomap/planetiler/reader/NaturalEarthReader.java +++ b/planetiler-core/src/main/java/com/onthegomap/planetiler/reader/NaturalEarthReader.java @@ -15,7 +15,6 @@ import java.nio.file.FileSystems; import java.nio.file.Files; import java.nio.file.Path; -import java.nio.file.StandardCopyOption; import java.sql.Connection; import java.sql.DriverManager; import java.sql.ResultSet; @@ -101,10 +100,14 @@ private Connection open(Path path, Path unzippedDir) throws IOException, SQLExce .findFirst() .orElseThrow(() -> new IllegalArgumentException("No .sqlite file found inside " + path)); extracted = unzippedDir.resolve(URLEncoder.encode(zipEntry.toString(), StandardCharsets.UTF_8)); + if (!extracted.startsWith(unzippedDir)) { + throw new IllegalArgumentException( + "Zip file tried to extract child outside of folder: " + zipEntry.getFileName()); + } FileUtils.createParentDirectories(extracted); if (!keepUnzipped || FileUtils.isNewer(path, extracted)) { LOGGER.info("unzipping {} to {}", path.toAbsolutePath(), extracted); - Files.copy(Files.newInputStream(zipEntry), extracted, StandardCopyOption.REPLACE_EXISTING); + FileUtils.safeCopy(Files.newInputStream(zipEntry), extracted); } if (!keepUnzipped) { extracted.toFile().deleteOnExit();