Fix Path Traversal Vulnerability in deleteRecursive Method#447
Open
th555555 wants to merge 2 commits intolessthanoptimal:SNAPSHOTfrom
Open
Fix Path Traversal Vulnerability in deleteRecursive Method#447th555555 wants to merge 2 commits intolessthanoptimal:SNAPSHOTfrom
th555555 wants to merge 2 commits intolessthanoptimal:SNAPSHOTfrom
Conversation
Description This pull request addresses a critical security vulnerability in the deleteRecursive method. The current implementation has no path validation, making it susceptible to path traversal attacks that could allow deletion of files outside the intended directory. Security Impact Vulnerability Type: Path Traversal (CWE-22) Severity: High Impact: Potential unauthorized deletion of files anywhere on the filesystem Attack Vector: Any code path that allows user-controlled input to reach this method Changes Made Added a required base directory parameter to establish a security boundary Implemented path validation using canonical file paths and Java NIO Path comparisons Added existence check for files before attempting to delete Changed exception type to IOException for consistency with file operations Added detailed error message for security violations References AdoptOpenJDK/IcedTea-Web@b09c6a4 https://cwe.mitre.org/data/definitions/22.html
Description This pull request addresses a critical security vulnerability in the decompressZip method that could allow attackers to overwrite arbitrary files on the system using specially crafted ZIP archives. Security Impact Vulnerability Type: Path Traversal / Zip Slip (CWE-22) Severity: High Impact: Unauthorized file write to any location where the application has write permissions Attack Vector: Processing malicious ZIP archives containing entries with path traversal sequences (e.g., "../../../dangerous-path") Changes Made Added path validation to ensure extracted files stay within the target directory Added explicit error handling for malicious ZIP entries Preserved all existing functionality (including the delete parameter) References: https://cwe.mitre.org/data/definitions/22.html
lessthanoptimal
force-pushed
the
SNAPSHOT
branch
from
1f837b9 to
8a138c3
Compare
lessthanoptimal
requested changes
Sep 20, 2025
Owner
There was a problem hiding this comment.
deleteRecursive doesn't build and needs a variable defined. Also add a comment explaining why this check is needed. I'm assuming it's because maybe a symbolic link or shortcut could reference something outside? Bonus points if you add a simple unit test that triggers this new code.
Thanks for the PR! I can see how these could be a security issue.
| } | ||
|
|
||
| // Security check: ensure we're only deleting files within the base directory | ||
| if (!(f.getCanonicalFile().toPath().startsWith(baseDir.getCanonicalFile().toPath()))) { |
| } | ||
|
|
||
| // Security check: ensure we're only deleting files within the base directory | ||
| if (!(f.getCanonicalFile().toPath().startsWith(baseDir.getCanonicalFile().toPath()))) { |
Owner
There was a problem hiding this comment.
You need to catch and re-throw IOExceptions
| if (entry.isDirectory()) { | ||
|
|
||
| // Security check to prevent zip slip vulnerability | ||
| if (!entryDestination.getCanonicalPath().startsWith(targetPath)) { |
Owner
There was a problem hiding this comment.
I did not know a zip file could reference a parent path? I'll look at your references.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This pull request addresses a critical security vulnerability in the deleteRecursive method. The current implementation has no path validation, making it susceptible to path traversal attacks that could allow deletion of files outside the intended directory.
Security Impact
Vulnerability Type: Path Traversal (CWE-22)
Severity: High
Impact: Potential unauthorized deletion of files anywhere on the filesystem Attack Vector: Any code path that allows user-controlled input to reach this method Changes Made
Added a required base directory parameter to establish a security boundary Implemented path validation using canonical file paths and Java NIO Path comparisons Added existence check for files before attempting to delete Changed exception type to IOException for consistency with file operations Added detailed error message for security violations
References
AdoptOpenJDK/IcedTea-Web@b09c6a4
https://cwe.mitre.org/data/definitions/22.html