From 0d243a8533637065a4a8c75a578663d360cb603d Mon Sep 17 00:00:00 2001
From: Trask Stalnaker <trask.stalnaker@gmail.com>
Date: Mon, 3 Feb 2025 19:20:45 -0800
Subject: [PATCH] Resolve CodeQL zip slip warning

---
 .../javaagent/bootstrap/AgentClassLoader.java        | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/javaagent-bootstrap/src/main/java/io/opentelemetry/javaagent/bootstrap/AgentClassLoader.java b/javaagent-bootstrap/src/main/java/io/opentelemetry/javaagent/bootstrap/AgentClassLoader.java
index 23bfe2a626cd..ba61c18d1376 100644
--- a/javaagent-bootstrap/src/main/java/io/opentelemetry/javaagent/bootstrap/AgentClassLoader.java
+++ b/javaagent-bootstrap/src/main/java/io/opentelemetry/javaagent/bootstrap/AgentClassLoader.java
@@ -303,8 +303,16 @@ private URL findJarResource(String name) {
   private URL getJarEntryUrl(JarEntry jarEntry) {
     if (jarEntry != null) {
       try {
-        return new URL(jarBase, jarEntry.getName());
-      } catch (MalformedURLException e) {
+        String entryName = jarEntry.getName();
+        // normalize the path and check for directory traversal
+        // in order to resolve CodeQL zip slip warning
+        File entryFile = new File(jarBase.getPath(), entryName).getCanonicalFile();
+        File baseDir = new File(jarBase.getPath()).getCanonicalFile();
+        if (!entryFile.toPath().startsWith(baseDir.toPath())) {
+          throw new IllegalStateException("Bad zip entry: " + entryName);
+        }
+        return new URL(jarBase, entryName);
+      } catch (IOException e) {
         throw new IllegalStateException(
             "Failed to construct url for jar entry " + jarEntry.getName(), e);
       }