Skip to content

Commit

Permalink
fix: CVE-2021-20218 vulnerable to a path traversal
Browse files Browse the repository at this point in the history
  • Loading branch information
manusa committed Feb 4, 2021
1 parent 613fc1c commit 857c873
Show file tree
Hide file tree
Showing 8 changed files with 1,092 additions and 1 deletion.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
## CHANGELOG

### 4.13.2

#### Bugs
* Fix #2715: CVE-2021-20218 vulnerable to a path traversal leading to integrity and availability compromise

### 4.13.1 (2021-01-20)

#### Bugs
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@
import okhttp3.RequestBody;
import okhttp3.Response;
import okhttp3.ResponseBody;
import io.fabric8.kubernetes.client.lib.FilenameUtils;

public class PodOperationsImpl extends HasMetadataOperation<Pod, PodList, DoneablePod, PodResource<Pod, DoneablePod>> implements PodResource<Pod, DoneablePod>,CopyOrReadable<Boolean,InputStream, Boolean> {

Expand Down Expand Up @@ -560,7 +561,11 @@ public void run() {
{
for (org.apache.commons.compress.archivers.ArchiveEntry entry = tis.getNextTarEntry(); entry != null; entry = tis.getNextEntry()) {
if (tis.canReadEntryData(entry)) {
File f = new File(destination, entry.getName());
final String normalizedEntryName = FilenameUtils.normalize(entry.getName());
if (normalizedEntryName == null){
throw new IOException("Tar entry '" + entry.getName() + "' has an invalid name");
}
File f = new File(destination, normalizedEntryName);
if (entry.isDirectory()) {
if (!f.isDirectory() && !f.mkdirs()) {
throw new IOException("Failed to create directory: " + f);
Expand Down
Loading

0 comments on commit 857c873

Please sign in to comment.