fix: CVE-2021-20218 vulnerable to a path traversal

fabric8io · Feb 4, 2021 · 857c873 · 857c873
1 parent 613fc1c
commit 857c873
Show file tree

Hide file tree

Showing 8 changed files with 1,092 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 ## CHANGELOG
 
+### 4.13.2
+
+#### Bugs
+* Fix #2715: CVE-2021-20218 vulnerable to a path traversal leading to integrity and availability compromise
+
 ### 4.13.1 (2021-01-20)
 
 #### Bugs

diff --git a/...nt/src/main/java/io/fabric8/kubernetes/client/dsl/internal/core/v1/PodOperationsImpl.java b/...nt/src/main/java/io/fabric8/kubernetes/client/dsl/internal/core/v1/PodOperationsImpl.java
@@ -80,6 +80,7 @@
 import okhttp3.RequestBody;
 import okhttp3.Response;
 import okhttp3.ResponseBody;
+import io.fabric8.kubernetes.client.lib.FilenameUtils;
 
 public class PodOperationsImpl extends HasMetadataOperation<Pod, PodList, DoneablePod, PodResource<Pod, DoneablePod>> implements PodResource<Pod, DoneablePod>,CopyOrReadable<Boolean,InputStream, Boolean> {
 
@@ -560,7 +561,11 @@ public void  run() {
         {
           for (org.apache.commons.compress.archivers.ArchiveEntry entry = tis.getNextTarEntry(); entry != null; entry = tis.getNextEntry()) {
             if (tis.canReadEntryData(entry)) {
-              File f = new File(destination, entry.getName());
+              final String normalizedEntryName = FilenameUtils.normalize(entry.getName());
+              if (normalizedEntryName == null){
+                throw new IOException("Tar entry '" + entry.getName() + "' has an invalid name");
+              }
+              File f = new File(destination, normalizedEntryName);
               if (entry.isDirectory()) {
                 if (!f.isDirectory() && !f.mkdirs()) {
                   throw new IOException("Failed to create directory: " + f);