update security fix for unzip process

JavaSaBr · JavaSaBr · commit 2d4608dcc297 · 2026-02-06T18:55:27.000+01:00
diff --git a/rlib-io/src/main/java/javasabr/rlib/io/util/FileUtils.java b/rlib-io/src/main/java/javasabr/rlib/io/util/FileUtils.java
@@ -407,20 +407,22 @@ public static int unzip(Path destination, Path zipFile) {
     if (!Files.exists(destination)) {
       throw new IllegalArgumentException("The folder " + destination + " doesn't exist.");
     }
+    Path normalizedDestination = destination.normalize();
     int count = 0;
     try (var zin = new ZipInputStream(Files.newInputStream(zipFile))) {
       for (var entry = zin.getNextEntry(); entry != null; entry = zin.getNextEntry()) {
         String entryName = entry.getName();
         Path targetFile = destination
             .resolve(entryName)
             .normalize();
-        if (!targetFile.startsWith(destination)) {
+        if (!targetFile.startsWith(normalizedDestination)) {
           LOGGER.warning(entryName, "Unexpected entry name:[%s] which is outside"::formatted);
           continue;
         }
         if (entry.isDirectory()) {
           Files.createDirectories(targetFile);
         } else {
+          Files.createDirectories(targetFile.getParent());
           Files.copy(zin, targetFile, StandardCopyOption.REPLACE_EXISTING);
           count++;
         }
diff --git a/rlib-io/src/test/java/javasabr/rlib/io/FileUtilsTest.java b/rlib-io/src/test/java/javasabr/rlib/io/FileUtilsTest.java
@@ -111,12 +111,31 @@ void shouldUnzipFileCorrectly() throws IOException {
       zout.write("test text 5".getBytes(StandardCharsets.UTF_8));
     }
 
-    Path outputDir = Files.createTempDirectory("test-unzip");
+    Path tempDirectory = Files.createTempDirectory("test-unzip");
+    Path outputDir = tempDirectory
+        .resolve("output")
+        .resolve("folder");
+    
+    Files.createDirectories(outputDir);
     
     // when:
     int unpackedFiles = FileUtils.unzip(outputDir, zipFile);
 
     // then:
     assertThat(unpackedFiles).isEqualTo(3);
+    assertThat(outputDir
+        .resolve("fileA.txt"))
+        .exists();
+    assertThat(outputDir
+        .resolve("dir_a")
+        .resolve("fileC.txt"))
+        .exists();
+    assertThat(tempDirectory
+        .resolve("output")
+        .resolve("fileB.txt"))
+        .doesNotExist();
+    assertThat(tempDirectory
+        .resolve("fileE.txt"))
+        .doesNotExist();
   }
 }
