15 lines
724 B
Diff
15 lines
724 B
Diff
diff --git a/src/main/java/org/testng/JarFileUtils.java b/src/main/java/org/testng/JarFileUtils.java
|
|
index 683a8b5..2f2ed8f 100644
|
|
--- a/src/main/java/org/testng/JarFileUtils.java
|
|
+++ b/src/main/java/org/testng/JarFileUtils.java
|
|
@@ -77,6 +77,9 @@ class JarFileUtils {
|
|
if (Parser.canParse(jeName.toLowerCase())) {
|
|
InputStream inputStream = jf.getInputStream(je);
|
|
File copyFile = new File(file, jeName);
|
|
+ if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
|
|
+ throw new IOException("Bad zip entry");
|
|
+ }
|
|
Files.copyFile(inputStream, copyFile);
|
|
if (matchesXmlPathInJar(je)) {
|
|
suitePath = copyFile.toString();
|