directory traversal still in org.codehaus.plexus.util.Expand #294
Description
Hi, we have detected a directory traversal vulnerability in the function extractFile in the class org.codehaus.plexus.util.Expand, The target function extractFile uses FileUtils.resolveFile(dir, entryName) to resolve the file path, where entryName is from an archive entry (external input). It then checks if the resolved file's absolute path starts with the target directory's absolute path using f.getAbsolutePath().startsWith(dir.getAbsolutePath()). This check is insufficient for preventing path traversal because it relies on string prefix matching, which can be bypassed if the resolved path uses different canonical forms (e.g., symlinks, case differences, or redundant path elements). Additionally, resolveFile normalizes the path but does not ensure it remains under the base directory; the check in extractFile is the primary defense. However, this check is vulnerable to partial matches (e.g., if dir is /tmp/app and an attacker uses entryName like ../app/../etc/passwd, the resolved path might be /etc/passwd, which does not start with /tmp/app—so it would be blocked—but if the attacker uses a path that shares a prefix, it might bypass). The code does not use canonicalization before the check, which is critical. The resolveFile function handles path separators and uses getCanonicalFile(), but the check in extractFile uses getAbsolutePath(), which may not be canonical.
This could allow bypasses via symlinks or other tricks. Overall, the check is prone to false negatives due to the lack of canonical path comparison.