chore(QTDI-1086) Improve path manipulation detection

coheigea · coheigea · commit fe4e5df368ee · 2025-01-02T11:25:58.000Z
diff --git a/component-tools/src/main/java/org/talend/sdk/component/tools/exec/CarMain.java b/component-tools/src/main/java/org/talend/sdk/component/tools/exec/CarMain.java
@@ -310,7 +310,7 @@ private static Properties installJars(final File m2Root, final boolean forceOver
                 if (entry.getName().startsWith("MAVEN-INF/repository/")) {
                     final String path = entry.getName().substring("MAVEN-INF/repository/".length());
                     final File output = new File(m2Root, path);
-                    if (!output.getCanonicalPath().startsWith(m2Root.getCanonicalPath())) {
+                    if (!output.getCanonicalPath().startsWith(m2Root.getCanonicalPath() + File.separator)) {
                         throw new IOException("The output file is not contained in the destination directory");
                     }
                     if (!output.exists() || forceOverwrite) {
diff --git a/talend-component-kit-intellij-plugin/src/main/java/org/talend/sdk/component/intellij/module/ProjectDownloader.java b/talend-component-kit-intellij-plugin/src/main/java/org/talend/sdk/component/intellij/module/ProjectDownloader.java
@@ -117,7 +117,7 @@ private static void unzip(final InputStream read, final File destination, final
                     path = path.replaceFirst("^[^/]+/", "");
                 }
                 final File file = new File(destination, path);
-                if (!file.getCanonicalPath().startsWith(destination.getCanonicalPath())) {
+                if (!file.getCanonicalPath().startsWith(destination.getCanonicalPath() + File.separator)) {
                     throw new IOException("The output file is not contained in the destination directory");
                 }
 

Original file line number	Diff line number	Diff line change
`@@ -310,7 +310,7 @@ private static Properties installJars(final File m2Root, final boolean forceOver`
`310`	`310`	`if (entry.getName().startsWith("MAVEN-INF/repository/")) {`
`311`	`311`	`final String path = entry.getName().substring("MAVEN-INF/repository/".length());`
`312`	`312`	`final File output = new File(m2Root, path);`
`313`		`- if (!output.getCanonicalPath().startsWith(m2Root.getCanonicalPath())) {`
	`313`	`+ if (!output.getCanonicalPath().startsWith(m2Root.getCanonicalPath() + File.separator)) {`
`314`	`314`	`throw new IOException("The output file is not contained in the destination directory");`
`315`	`315`	`}`
`316`	`316`	`if (!output.exists() \|\| forceOverwrite) {`
Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,7 @@ private static void unzip(final InputStream read, final File destination, final`
`117`	`117`	`path = path.replaceFirst("^[^/]+/", "");`
`118`	`118`	`}`
`119`	`119`	`final File file = new File(destination, path);`
`120`		`- if (!file.getCanonicalPath().startsWith(destination.getCanonicalPath())) {`
	`120`	`+ if (!file.getCanonicalPath().startsWith(destination.getCanonicalPath() + File.separator)) {`
`121`	`121`	`throw new IOException("The output file is not contained in the destination directory");`
`122`	`122`	`}`
`123`	`123`