Merge pull request #2806 from BulkSecurityGeneratorProjectV2/fix/JLL/…

…zip-slip-vulnerability [SECURITY] Fix Zip Slip Vulnerability
testng-team · Oct 4, 2022 · 9150736 · 9150736
2 parents 1b978d4 + 47afa2c
commit 9150736
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/testng-core/src/main/java/org/testng/JarFileUtils.java b/testng-core/src/main/java/org/testng/JarFileUtils.java
@@ -76,6 +76,9 @@ private boolean testngXmlExistsInJar(File jarFile, List<String> classes) throws
         if (Parser.canParse(jeName.toLowerCase())) {
           InputStream inputStream = jf.getInputStream(je);
           File copyFile = new File(file, jeName);
+          if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
+            throw new IOException("Bad zip entry");
+          }
           copyFile.getParentFile().mkdirs();
           Files.copy(inputStream, copyFile.toPath());
           if (matchesXmlPathInJar(je)) {