Fix wrong directory traversal and zip bomb checks

tomas-sexenian · tomas-sexenian · commit a131cfa20f74 · 2025-03-31T11:43:33.000-03:00
diff --git a/gxcompress/src/main/java/com/genexus/compression/CompressionUtils.java b/gxcompress/src/main/java/com/genexus/compression/CompressionUtils.java
@@ -4,6 +4,7 @@
 import org.apache.commons.compress.archivers.sevenz.SevenZFile;
 import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
 import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
+import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
 
 import java.io.File;
 import java.io.FileInputStream;
@@ -16,6 +17,7 @@
 import static org.apache.commons.io.FilenameUtils.getExtension;
 
 public class CompressionUtils {
+
 	public static int countArchiveEntries(File toCompress) throws IOException {
 		String ext = getExtension(toCompress.getName()).toLowerCase();
 		switch (ext) {
@@ -101,6 +103,70 @@ public static boolean isArchiveSafe(File toCompress, String targetDir) throws IO
 		return true;
 	}
 
+	private static final long MAX_PERMITTED_SIZE = 1024L * 1024 * 1024 * 15; //15GB
+
+	public static long estimateDecompressedSize(File archive) throws IOException {
+		String ext = getExtension(archive.getName()).toLowerCase();
+		long totalSize = 0;
+
+		switch (ext) {
+			case "zip":
+			case "jar":
+				try (ZipFile zip = new ZipFile(archive)) {
+					Enumeration<? extends ZipEntry> entries = zip.entries();
+					while (entries.hasMoreElements()) {
+						ZipEntry entry = entries.nextElement();
+						if (!entry.isDirectory()) {
+							long size = entry.getSize();
+							totalSize += (size > 0) ? size : (archive.length() * 5);
+							if (totalSize > MAX_PERMITTED_SIZE) {
+								return totalSize;
+							}
+						}
+					}
+				}
+				break;
+			case "tar":
+				try (FileInputStream fis = new FileInputStream(archive);
+					 TarArchiveInputStream tais = new TarArchiveInputStream(fis)) {
+					TarArchiveEntry entry;
+					while ((entry = tais.getNextEntry()) != null) {
+						if (!entry.isDirectory()) {
+							totalSize += entry.getSize();
+							if (totalSize > MAX_PERMITTED_SIZE) {
+								return totalSize;
+							}
+						}
+					}
+				}
+				break;
+			case "7z":
+				try (SevenZFile sevenZFile = getSevenZFile(archive.getAbsolutePath())) {
+					SevenZArchiveEntry entry;
+					while ((entry = sevenZFile.getNextEntry()) != null) {
+						if (!entry.isDirectory()) {
+							totalSize += entry.getSize();
+							if (totalSize > MAX_PERMITTED_SIZE) {
+								return totalSize;
+							}
+						}
+					}
+				}
+				break;
+			case "gz":
+				try (FileInputStream fis = new FileInputStream(archive);
+					 GzipCompressorInputStream ignored = new GzipCompressorInputStream(fis)) {
+					totalSize = archive.length() * 10;
+				}
+				break;
+		}
+		if (totalSize < archive.length()) {
+			totalSize = archive.length() * 5;
+		}
+
+		return totalSize;
+	}
+
 	private static SevenZFile getSevenZFile(final String specialPath) throws IOException {
 		return SevenZFile.builder().setFile(getFile(specialPath)).get();
 	}
diff --git a/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java b/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java
@@ -34,11 +34,16 @@ public class GXCompressor implements IGXCompressor {
 	private static final String FILE_NOT_EXISTS = "File does not exist: ";
 	private static final String UNSUPPORTED_FORMAT = " is an unsupported format. Supported formats are zip, 7z, tar, gz and jar.";
 	private static final String EMPTY_FILE = "The selected file is empty: ";
+	private static final String PURGED_ARCHIVE = "After performing security checks, no valid files where left to compress";
 	private static final String DIRECTORY_ATTACK = "Potential directory traversal attack detected: ";
 	private static final String MAX_FILESIZE_EXCEEDED = "The file(s) selected for (de)compression exceed the maximum permitted file size of ";
 	private static final String TOO_MANY_FILES = "Too many files have been added for (de)compression. Maximum allowed is ";
 	private static final String ZIP_SLIP_DETECTED = "Zip slip or path traversal attack detected in archive: ";
+	private static final String BIG_SINGLE_FILE = "Individual file exceeds maximum allowed size: ";
+	private static final String PROCESSING_ERROR = "Error checking archive safety for file: ";
+	private static final String ARCHIVE_SIZE_ESTIMATION_ERROR = "";
 	private static final int MAX_FILES_ALLOWED = 1000;
+	private static final long MAX_DECOMPRESSED_SIZE = 1024 * 1024 * 100; // 100MB limit
 
 	private static void storageMessages(String error, GXBaseCollection<SdtMessages_Message> messages) {
 		try {
@@ -51,7 +56,7 @@ private static void storageMessages(String error, GXBaseCollection<SdtMessages_M
 			log.error("Failed to store the following error message: {}", error, e);
 		}
 	}
-	
+
 	public static Boolean compress(ArrayList<String> files, String path, long maxCombinedFileSize, GXBaseCollection<SdtMessages_Message>[] messages) {
 		if (files.isEmpty()){
 			log.error(NO_FILES_ADDED);
@@ -76,25 +81,52 @@ public static Boolean compress(ArrayList<String> files, String path, long maxCom
 					storageMessages(FILE_NOT_EXISTS + filePath, messages[0]);
 					continue;
 				}
-				if (!normalizedPath.equals(file.getAbsolutePath())) {
+
+				// More permissive directory traversal check
+				// Check if the canonical path points to a parent directory of the file
+				// or if it points to a completely different location
+				File absFile = file.getAbsoluteFile();
+				if (!normalizedPath.startsWith(absFile.getParentFile().getCanonicalPath())) {
 					log.error(DIRECTORY_ATTACK + "{}", filePath);
 					storageMessages(DIRECTORY_ATTACK + filePath, messages[0]);
 					return false;
 				}
+
 				long fileSize = file.length();
+
+				if (maxCombinedFileSize > -1 && fileSize > maxCombinedFileSize) {
+					log.error(BIG_SINGLE_FILE + filePath);
+					storageMessages(BIG_SINGLE_FILE + filePath, messages[0]);
+					files.clear();
+					return false;
+				}
+
 				totalSize += fileSize;
 				if (maxCombinedFileSize > -1 && totalSize > maxCombinedFileSize) {
 					log.error(MAX_FILESIZE_EXCEEDED + maxCombinedFileSize);
 					storageMessages(MAX_FILESIZE_EXCEEDED + maxCombinedFileSize, messages[0]);
-					toCompress = null;
 					files.clear();
 					return false;
 				}
 				toCompress[index++] = file;
 			} catch (IOException e) {
 				log.error("Error normalizing path for file: {}", filePath, e);
+				return false;
 			}
 		}
+
+		if (index < toCompress.length) {
+			File[] resized = new File[index];
+			System.arraycopy(toCompress, 0, resized, 0, index);
+			toCompress = resized;
+		}
+
+		if (toCompress.length == 0) {
+			log.error(PURGED_ARCHIVE);
+			storageMessages(PURGED_ARCHIVE, messages[0]);
+			return false;
+		}
+
 		String format = CommonUtil.getFileType(path).toLowerCase();
 		try {
 			switch (format.toLowerCase()) {
@@ -150,8 +182,8 @@ public static Boolean decompress(String file, String path, GXBaseCollection<SdtM
 				return false;
 			}
 		} catch (Exception e) {
-			log.error("Error counting archive entries for file: {}", file, e);
-			storageMessages("Error counting archive entries for file: " + file, messages[0]);
+			log.error(PROCESSING_ERROR + file, e);
+			storageMessages(PROCESSING_ERROR + file, messages[0]);
 			return false;
 		}
 		try {
@@ -161,10 +193,28 @@ public static Boolean decompress(String file, String path, GXBaseCollection<SdtM
 				return false;
 			}
 		} catch (Exception e) {
-			log.error("Error checking archive safety for file: {}", file, e);
-			storageMessages("Error checking archive safety for file: " + file, messages[0]);
+			log.error(PROCESSING_ERROR+ file, e);
+			storageMessages(PROCESSING_ERROR + file, messages[0]);
 			return false;
 		}
+
+		try {
+			long totalSizeEstimate = CompressionUtils.estimateDecompressedSize(toCompress);
+
+			if (totalSizeEstimate > MAX_DECOMPRESSED_SIZE) {
+				log.error("Potential zip bomb detected. Estimated size: " + totalSizeEstimate + " bytes");
+				storageMessages("Potential zip bomb detected. Operation aborted for security reasons.", messages[0]);
+				if (!toCompress.delete()) {
+					log.error("Failed to delete suspicious archive: {}", file);
+				}
+				return false;
+			}
+		} catch (Exception e) {
+			log.error(ARCHIVE_SIZE_ESTIMATION_ERROR + file, e);
+			storageMessages(ARCHIVE_SIZE_ESTIMATION_ERROR+ file, messages[0]);
+			return false;
+		}
+
 		String extension = getExtension(toCompress.getName());
 		try {
 			switch (extension.toLowerCase()) {
