Resolve CodeQL zip slip warning

trask · trask · commit 0d243a853363 · 2025-02-03T19:24:17.000-08:00
diff --git a/javaagent-bootstrap/src/main/java/io/opentelemetry/javaagent/bootstrap/AgentClassLoader.java b/javaagent-bootstrap/src/main/java/io/opentelemetry/javaagent/bootstrap/AgentClassLoader.java
@@ -303,8 +303,16 @@ private URL findJarResource(String name) {
   private URL getJarEntryUrl(JarEntry jarEntry) {
     if (jarEntry != null) {
       try {
-        return new URL(jarBase, jarEntry.getName());
-      } catch (MalformedURLException e) {
+        String entryName = jarEntry.getName();
+        // normalize the path and check for directory traversal
+        // in order to resolve CodeQL zip slip warning
+        File entryFile = new File(jarBase.getPath(), entryName).getCanonicalFile();
+        File baseDir = new File(jarBase.getPath()).getCanonicalFile();
+        if (!entryFile.toPath().startsWith(baseDir.toPath())) {
+          throw new IllegalStateException("Bad zip entry: " + entryName);
+        }
+        return new URL(jarBase, entryName);
+      } catch (IOException e) {
         throw new IllegalStateException(
             "Failed to construct url for jar entry " + jarEntry.getName(), e);
       }
