Fix Zip Slip vulnerability in JAR extraction by Copilot · Pull Request #453 · codehaus-plexus/plexus-compiler (original) (raw)

Summary

Fixes a Zip Slip vulnerability in JarUtil.extract() that could allow arbitrary file writes outside the intended extraction directory when processing malicious JAR files.

Vulnerability Details

The Zip Slip vulnerability is a critical security issue that occurs during archive extraction when path traversal sequences in entry names are not properly validated. An attacker could craft a malicious JAR file with entries like ../../etc/passwd or subdir/../../evil.txt to write files outside the intended extraction directory, potentially overwriting system files or placing malicious content in sensitive locations.

Root Cause

The original code attempted to validate paths but did not normalize them before the security check:

Path f = destDir.resolve(file.getName()); if (!f.startsWith(toPath)) { throw new IOException("Bad zip entry"); }

This allowed paths containing .. segments to bypass validation because resolve() does not automatically normalize the path.

Changes Made

1. Normalize resolved paths before validation

Added .normalize() to canonicalize the resolved path before the security check:

Path f = destDir.resolve(file.getName()).normalize();

This ensures all .. and . path segments are resolved, making the startsWith() check effective at detecting path traversal attempts.

2. Ensure parent directories exist

Added parent directory creation before writing files:

Path parent = f.getParent(); if (parent != null) { Files.createDirectories(parent); }

This ensures files can be extracted even when their parent directories are not explicitly listed as separate entries in the JAR.

Testing

Added comprehensive test coverage in JarUtilTest.java:

• testZipSlipProtection: Verifies that simple path traversal attempts (../../evil.txt) are properly blocked
• testZipSlipWithComplexPath: Verifies that complex path traversal attempts (subdir/../../evil.txt) are properly blocked
• testNormalExtraction: Ensures legitimate JAR extraction continues to work correctly with files and subdirectories

All tests pass successfully, confirming the vulnerability is fixed without breaking existing functionality.

Impact

This is a minimal, surgical fix that:

• ✅ Prevents arbitrary file writes outside the extraction directory
• ✅ Maintains backward compatibility with legitimate JAR files
• ✅ Adds no new dependencies
• ✅ Includes test coverage to prevent regression

Resolves #1 (code scanning alert for Zip Slip vulnerability)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• repo.jenkins-ci.org
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.11/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.11/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.11 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.11/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/plexus-compiler/plexus-compiler/plexus-compiler-its/target/it/MCOMPILER-346-mre org.codehaus.plexus.classworlds.launcher.Launcher -B -D maven.repo.local=/home/REDACTED/work/plexus-compiler/plexus-compiler/plexus-compiler-its/target/local-repo -s /home/REDACTED/work/plexus-compiler/plexus-compiler/plexus-compiler-its/target/it/interpolated-settings.xml clean compile (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Fix code scanning alert - Arbitrary file write during archive extraction ("Zip Slip")</issue_title>
<issue_description>

Tracking issue for:

• https://github.com/codehaus-plexus/plexus-compiler/security/code-scanning/1
  </issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #322

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.