Potential fix for code scanning alert no. 5: Arbitrary file access during archive extraction ("Zip Slip")

Schlaumeier5 · github-advanced-security[bot] · web-flow · commit 62625bbb0e4f · 2025-08-13T00:25:30.000+02:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/src/main/java/de/igslandstuhl/database/server/resources/ResourceHelper.java b/src/main/java/de/igslandstuhl/database/server/resources/ResourceHelper.java
@@ -9,6 +9,8 @@
 import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.NoSuchFileException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -28,6 +30,28 @@
  */
 public class ResourceHelper {
 
+    /**
+     * Checks if a zip entry name is safe (no path traversal, not absolute).
+     */
+    private static boolean isSafeZipEntryName(String entryName) {
+        // Reject absolute paths
+        Path path = Paths.get(entryName).normalize();
+        if (path.isAbsolute()) {
+            return false;
+        }
+        // Reject entries containing ".." as a path segment
+        for (Path part : path) {
+            if (part.toString().equals("..")) {
+                return false;
+            }
+        }
+        // Reject entries starting with "/" or "\"
+        if (entryName.startsWith("/") || entryName.startsWith("\\")) {
+            return false;
+        }
+        return true;
+    }
+
     /**
      * For all elements of java.class.path get a Collection of resources Pattern
      * pattern = Pattern.compile(".*"); gets all resources
@@ -87,6 +111,10 @@ private static Collection<String> getResourcesFromJarFile(final File file, final
         while (e.hasMoreElements()) {
             final ZipEntry ze = e.nextElement();
             final String fileName = ze.getName();
+            if (!isSafeZipEntryName(fileName)) {
+                // Optionally log or throw, here we skip unsafe entries
+                continue;
+            }
             final boolean accept = pattern.matcher(fileName).matches();
             if (accept) {
                 retval.add(fileName);
