Merge pull request #10 from apache/dependabot/maven/extensions/camel/org.apache.camel-camel-core-2.24.0
Bump camel-core from 2.11.1 to 2.24.0 in /extensions/camel
diff --git a/extensions/hazelcast/pom.xml b/extensions/hazelcast/pom.xml
index 5150c12..ffbc5dc 100644
--- a/extensions/hazelcast/pom.xml
+++ b/extensions/hazelcast/pom.xml
@@ -43,6 +43,6 @@
</dependencies>
<properties>
- <hazelcast.version>3.1</hazelcast.version>
+ <hazelcast.version>3.12.13</hazelcast.version>
</properties>
</project>
diff --git a/extensions/jackson/pom.xml b/extensions/jackson/pom.xml
index e9dd5e1..c654099 100644
--- a/extensions/jackson/pom.xml
+++ b/extensions/jackson/pom.xml
@@ -41,6 +41,6 @@
</dependencies>
<properties>
- <jackson.version>2.2.3</jackson.version>
+ <jackson.version>2.12.7.1</jackson.version>
</properties>
</project>
diff --git a/gui/jaxrs/webapp/pom.xml b/gui/jaxrs/webapp/pom.xml
index 1de74e8..ff730c0 100644
--- a/gui/jaxrs/webapp/pom.xml
+++ b/gui/jaxrs/webapp/pom.xml
@@ -40,7 +40,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
- <version>2.4</version>
+ <version>3.3.2</version>
<executions>
<execution>
<id>default-war</id>
diff --git a/gui/servlet/webapp/pom.xml b/gui/servlet/webapp/pom.xml
index e1f8ee6..b988bd7 100644
--- a/gui/servlet/webapp/pom.xml
+++ b/gui/servlet/webapp/pom.xml
@@ -40,7 +40,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
- <version>2.4</version>
+ <version>3.3.2</version>
<configuration>
<failOnMissingWebXml>false</failOnMissingWebXml>
<archiveClasses>true</archiveClasses>
diff --git a/pom.xml b/pom.xml
index 2e5883e..7b2db63 100644
--- a/pom.xml
+++ b/pom.xml
@@ -505,7 +505,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
- <version>2.5</version>
+ <version>3.0.0-M6</version>
<configuration>
<pushChanges>false</pushChanges>
<localCheckout>true</localCheckout>
diff --git a/tools/cli/src/main/java/org/apache/batchee/cli/zip/Zips.java b/tools/cli/src/main/java/org/apache/batchee/cli/zip/Zips.java
index d3d1acb..f57cac3 100644
--- a/tools/cli/src/main/java/org/apache/batchee/cli/zip/Zips.java
+++ b/tools/cli/src/main/java/org/apache/batchee/cli/zip/Zips.java
@@ -44,6 +44,9 @@
while ((entry = in.getNextEntry()) != null) {
final String path = entry.getName();
final File file = new File(destination, path);
+ if (!file.toPath().normalize().startsWith(destination.toPath().normalize())) {
+ throw new IOException("Bad zip entry");
+ }
if (entry.isDirectory()) {
continue;
diff --git a/tools/cli/src/test/java/org/apache/batchee/cli/zip/ZipsTest.java b/tools/cli/src/test/java/org/apache/batchee/cli/zip/ZipsTest.java
new file mode 100644
index 0000000..46a58af
--- /dev/null
+++ b/tools/cli/src/test/java/org/apache/batchee/cli/zip/ZipsTest.java
@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.batchee.cli.zip;
+
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipOutputStream;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class ZipsTest {
+ @Rule
+ public final TemporaryFolder temp = new TemporaryFolder();
+
+ @Test
+ public void zipSlip() throws IOException {
+ final File zip = temp.newFile("test.zip");
+ final String slipFile = "attack.txt";
+
+ try (final ZipOutputStream out = new ZipOutputStream(Files.newOutputStream(zip.toPath()))) {
+ out.putNextEntry(new ZipEntry("../" + slipFile));
+ out.write("test".getBytes(StandardCharsets.UTF_8));
+ out.closeEntry();
+ }
+
+ final File exploded = temp.newFolder("some/nested/folder");
+ try {
+ Zips.unzip(zip, exploded);
+ fail("Bad zip entry exception not raised!");
+ } catch (IOException exception) {
+ assertTrue("Unable to unzip", exception.getMessage().contains("Unable to unzip"));
+ }
+ }
+}
