Introduced protections against "zip slip" attacks

Author: pixeebot[bot]

flow-server/pom.xml

@@ -170,7 +170,10 @@
             <version>${hibernate.validator.version}</version>
             <scope>test</scope>
         </dependency>
-
+        <dependency>
+            <groupId>io.github.pixee</groupId>
+            <artifactId>java-security-toolkit</artifactId>
+        </dependency>
     </dependencies>
     <build>
         <resources>

flow-server/src/main/java/com/vaadin/flow/server/frontend/CompressUtil.java

@@ -16,6 +16,7 @@
 
 package com.vaadin.flow.server.frontend;
 
+import io.github.pixee.security.ZipSecurity;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -109,8 +110,7 @@ public static void uncompressFile(File zip, File targetDirectory) {
             return;
         }
         byte[] buffer = new byte[1024];
-        try (ZipInputStream zis = new ZipInputStream(
-                new FileInputStream(zip))) {
+        try (ZipInputStream zis = ZipSecurity.createHardenedInputStream(new FileInputStream(zip))) {
             ZipEntry zipEntry = zis.getNextEntry();
             while (zipEntry != null) {
                 File newFile = newFile(targetDirectory, zipEntry);

pom.xml

@@ -146,6 +146,7 @@
         <failsafe.parallel>all</failsafe.parallel>
         <failsafe.threadCount>2</failsafe.threadCount>
         <failsafe.perCoreThreadCount>true</failsafe.perCoreThreadCount>
+        <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
     </properties>
 
     <repositories>
@@ -280,6 +281,11 @@
                 <artifactId>hamcrest-all</artifactId>
                 <version>1.3</version>
             </dependency>
+            <dependency>
+                <groupId>io.github.pixee</groupId>
+                <artifactId>java-security-toolkit</artifactId>
+                <version>${versions.java-security-toolkit}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>