Merge pull request #34504 from odaysec/fix-dev

fix: arbitrary file access during archive extraction zipslip

Author: hmusum

client/go/internal/vespa/application.go

@@ -254,7 +254,11 @@ func (ap *ApplicationPackage) Unzip(test bool) (string, error) {
 	}
 	defer f.Close()
 	for _, f := range f.File {
+		// Normalize the file path and ensure it stays within the temp directory
 		dst := filepath.Join(tmp, f.Name)
+		if !strings.HasPrefix(filepath.Clean(dst), filepath.Clean(tmp)+string(os.PathSeparator)) {
+			return "", fmt.Errorf("illegal file path in archive: %s", f.Name)
+		}
 		if f.FileInfo().IsDir() {
 			if err := os.Mkdir(dst, f.FileInfo().Mode()); err != nil {
 				return "", err

config-application-package/src/main/java/com/yahoo/config/application/ConfigDefinitionDir.java

@@ -31,7 +31,13 @@ private void checkAndCopyUserDefs(Bundle bundle, List<Bundle> bundlesAdded) thro
         for (Bundle.DefEntry def : bundle.getDefEntries()) {
             checkUserDefConflict(bundle, def, bundlesAdded);
             String defFilename = def.defNamespace + "." + def.defName + ".def";
-            OutputStream out = new FileOutputStream(new File(defDir, defFilename));
+            File outFile = new File(defDir, defFilename);
+            // Zip Slip fix: ensure output file path is within defDir
+            if (!outFile.toPath().normalize().startsWith(defDir.toPath().normalize())) {
+                throw new IllegalArgumentException("Refusing to write config definition outside of " + defDir.getAbsolutePath() +
+                        " (got " + outFile.getAbsolutePath() + ")");
+            }
+            OutputStream out = new FileOutputStream(outFile);
             out.write(def.contents.getBytes());
             out.close();
         }

config-application-package/src/main/java/com/yahoo/config/model/application/provider/SchemaValidators.java

@@ -169,7 +169,13 @@ private static void copySchemas(File from, File to) throws IOException {
 
     private static void writeContentsToFile(File outDir, String outFile, InputStream inputStream) throws IOException {
         String contents = IOUtils.readAll(new InputStreamReader(inputStream));
-        File out = new File(outDir, outFile);
+
+        // Validate and sanitize the output path
+        File out = new File(outDir, outFile).getCanonicalFile();
+        if (!out.getPath().startsWith(outDir.getCanonicalPath() + File.separator)) {
+            throw new IOException("Invalid file path: " + outFile);
+        }
+
         IOUtils.writeFile(out, contents, false);
     }
 

configserver/src/main/java/com/yahoo/vespa/config/server/application/CompressedApplicationInputStream.java

@@ -91,6 +91,9 @@ private File decompressInto(Path dir) throws IOException {
                 tmpStream.close();
                 log.log(Level.FINE, "Creating output file: " + file.path());
                 Path dstFile = dir.resolve(file.path().toString()).normalize();
+                if (!dstFile.startsWith(dir.normalize())) {
+                    throw new IOException("Entry attempts to write outside the target directory: " + dstFile);
+                }
                 Files.createDirectories(dstFile.getParent());
                 Files.move(tmpFile, dstFile);
                 tmpFile = createTempFile(dir);

filedistribution/src/main/java/com/yahoo/vespa/filedistribution/FileReferenceCompressor.java

@@ -71,20 +71,27 @@ private static void decompress(TarArchiveInputStream archiveInputStream, File ou
         ArchiveEntry entry;
         while ((entry = archiveInputStream.getNextEntry()) != null) {
             File outFile = new File(outputFile, entry.getName());
+            File canonicalOutFile = outFile.getCanonicalFile();
+            File canonicalOutputDir = outputFile.getCanonicalFile();
+
+            if (!canonicalOutFile.toPath().startsWith(canonicalOutputDir.toPath())) {
+                throw new IOException("Invalid archive entry: " + entry.getName());
+            }
+
             if (entry.isDirectory()) {
-                if (!(outFile.exists() && outFile.isDirectory())) {
-                    log.log(Level.FINE, () -> "Creating dir: " + outFile.getAbsolutePath());
-                    if (!outFile.mkdirs()) {
+                if (!(canonicalOutFile.exists() && canonicalOutFile.isDirectory())) {
+                    log.log(Level.FINE, () -> "Creating dir: " + canonicalOutFile.getAbsolutePath());
+                    if (!canonicalOutFile.mkdirs()) {
                         log.log(Level.WARNING, "Could not create dir " + entry.getName());
                     }
                 }
             } else {
                 // Create parent dir if necessary
-                File parent = new File(outFile.getParent());
+                File parent = new File(canonicalOutFile.getParent());
                 if (!parent.exists() && !parent.mkdirs()) {
                     log.log(Level.WARNING, "Could not create dir " + parent.getAbsolutePath());
                 }
-                try (FileOutputStream fos = new FileOutputStream(outFile)) {
+                try (FileOutputStream fos = new FileOutputStream(canonicalOutFile)) {
                     archiveInputStream.transferTo(fos);
                 }
             }

integration/schema-language-server/language-server/src/main/java/ai/vespa/schemals/SchemaLanguageServer.java

@@ -271,7 +271,11 @@ public boolean accept(File pathname) {
             while (entries.hasMoreElements()) {
                 JarEntry entry = entries.nextElement();
                 if (!entry.isDirectory() && entry.getName().startsWith(documentationPath.getFileName().toString())) {
-                    Path destination = documentationPath.getParent().resolve(entry.getName());
+                    Path extractionDir = documentationPath.getParent();
+                    Path destination = extractionDir.resolve(entry.getName()).normalize();
+                    if (!destination.startsWith(extractionDir)) {
+                        throw new IOException("Zip entry is outside of the target dir: " + entry.getName());
+                    }
                     Files.createDirectories(destination.getParent());
                     try (InputStream inputStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(entry.getName())) {
                         BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));

integration/schema-language-server/lemminx-vespa/src/main/java/ai/vespa/lemminx/UnpackRNGFiles.java

@@ -42,7 +42,12 @@ public static void unpackRNGFiles(Path serverPath) throws IOException {
             while (entries.hasMoreElements()) {
                 JarEntry entry = entries.nextElement();
                 if (!entry.isDirectory() && entry.getName().endsWith(".rng") && entry.getName().startsWith("resources/schema")) {
-                    Path writePath = serverPath.resolve(entry.getName());
+                    Path writePath = serverPath.resolve(entry.getName()).normalize();
+                    Path targetDir = serverPath.resolve("resources").resolve("schema").normalize();
+                    if (!writePath.startsWith(targetDir)) {
+                        // Potential Zip Slip attack, skip this entry
+                        continue;
+                    }
                     try (InputStream inputStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(entry.getName())) {
                         BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));
                         String content = reader.lines().collect(Collectors.joining(System.lineSeparator()));