Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: testng-team/testng
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 7.5
Choose a base ref
...
head repository: testng-team/testng
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 7.5.1
Choose a head ref
  • 2 commits
  • 6 files changed
  • 3 contributors

Commits on Apr 26, 2023

  1. Cherrypick - 47afa2c to 7.5 release 

    vuln-fix: Zip Slip Vulnerability

This fixes a Zip-Slip vulnerability.

This change does one of two things. This change either

1. Inserts a guard to protect against Zip Slip.
OR
2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.

For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.

Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: High
CVSSS: 7.4
Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: JLLeitschuh/security-research#16

Co-authored-by: Moderne <team@moderne.io>
    @JLLeitschuh @TeamModerne @krmahadevan
    2 people authored and krmahadevan committed Apr 26, 2023
    Configuration menu
    Copy the full SHA
    18810fc View commit details
    Browse the repository at this point in the history

  2. Attempting Release 7.5.1

    @krmahadevan
    krmahadevan committed Apr 26, 2023
    Configuration menu
    Copy the full SHA
    7ddeadb View commit details
    Browse the repository at this point in the history
Loading