From 6175368cca93620bad45260152391b360d0751db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Armin=20H=C3=A4berling?= <armin.aha@gmail.com>
Date: Fri, 17 May 2019 09:44:36 +0200
Subject: [PATCH] Compare paths when extracting an archive with the canonical
 destination directory

Commit 93d77ffc023effbcb36813648b578a0541709d76 introduced a check that
files extracted from a tar archive will not be written outside of the
destination directory. Unfortunately it also introduced a regression
prventing the extraction of any tar archive when the path to the
destination directory contains a symbolic link.

For example on a jenkins agent where /var/lib/jenkins is a symbolic
link to /data/jenkins and a job tries to extact nodejs to
/var/lib/jenkins/workspace/example-project/target/node/tmp. The old
code would then check if canonical path to a tar entry like
/data/jenkins/workspace/example-project/target/node/tmp/XXX starts
with /var/lib/jenkins/workspace/example-project/target/node/tmp which
always fails.

This commit compares the canonical extraction paths of the tar entries
with the canonical path of the destination directory, which fixes the
regression and still checks that no file is extracted outside of the
destination directory.
---
 .../maven/plugins/frontend/lib/ArchiveExtractor.java         | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/frontend-plugin-core/src/main/java/com/github/eirslett/maven/plugins/frontend/lib/ArchiveExtractor.java b/frontend-plugin-core/src/main/java/com/github/eirslett/maven/plugins/frontend/lib/ArchiveExtractor.java
index 901af7296..e0bbe8ae7 100644
--- a/frontend-plugin-core/src/main/java/com/github/eirslett/maven/plugins/frontend/lib/ArchiveExtractor.java
+++ b/frontend-plugin-core/src/main/java/com/github/eirslett/maven/plugins/frontend/lib/ArchiveExtractor.java
@@ -104,13 +104,14 @@ public void extract(String archive, String destinationDirectory) throws ArchiveE
                     tarIn = new TarArchiveInputStream(new GzipCompressorInputStream(fis));
 
                     TarArchiveEntry tarEntry = tarIn.getNextTarEntry();
+                    String canonicalDestinationDirectory = new File(destinationDirectory).getCanonicalPath();
                     while (tarEntry != null) {
                         // Create a file for this tarEntry
                         final File destPath = new File(destinationDirectory + File.separator + tarEntry.getName());
                         prepDestination(destPath, tarEntry.isDirectory());
-                        if (!destPath.getCanonicalPath().startsWith(destinationDirectory)) {
+                        if (!destPath.getCanonicalPath().startsWith(canonicalDestinationDirectory)) {
                              throw new IOException(
-                                 "Expanding " + tarEntry.getName() + " would create file outside of " + destinationDirectory
+                                 "Expanding " + tarEntry.getName() + " would create file outside of " + canonicalDestinationDirectory
                              );
                         }
                         if (!tarEntry.isDirectory()) {