Add ZipSlip exploit

Author: sjmaple

exploits/zip-slip.zip

@@ -24,10 +24,26 @@
 
 package io.github.todolist.core.domain;
 
-import javax.persistence.*;
+import java.io.BufferedReader;
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.InputStreamReader;
 import java.io.Serializable;
+import java.nio.file.Path;
 import java.util.Date;
 
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.Id;
+import javax.persistence.NamedQueries;
+import javax.persistence.NamedQuery;
+import javax.persistence.Temporal;
+import javax.persistence.TemporalType;
+
 /**
  * Todo entity.
  *
@@ -40,7 +56,9 @@
         @NamedQuery(name = "findTodosByTitle", query = "SELECT t FROM Todo t where t.userId = ?1 and upper(t.title) like ?2 order by t.dueDate")
 })
 public class Todo implements Serializable {
-
+	
+	// If the JAVA_HOME isn't set, use the Heroku Java location
+	static final String NATIVE2ASCII = System.getProperty("JAVA_HOME", "./.jdk") + File.separator + "bin" + File.separator + "native2ascii";  
     @Id
     @GeneratedValue
     private long id;
@@ -64,12 +82,44 @@ public Todo() {
 
     public Todo(long userId, String title, boolean done, Priority priority, Date dueDate) {
         this.userId = userId;
+        
+        if (title != null)
+        		title = native2ascii(title);
+        
         this.title = title;
         this.done = done;
         this.priority = priority;
         this.dueDate = dueDate;
     }
 
+    private static BufferedReader getOutput(Process p) {
+        return new BufferedReader(new InputStreamReader(p.getInputStream()));
+    }
+    
+	private String native2ascii(String title) {
+		System.out.println("Running: " + NATIVE2ASCII);
+		try {
+
+			BufferedWriter writer = new BufferedWriter(new FileWriter("title.txt"));
+	        		writer.write(title);
+	        		writer.close();
+	        		Process p = Runtime.getRuntime().exec(NATIVE2ASCII + " title.txt");
+	        		BufferedReader output = getOutput(p);
+	        		String line = "";
+
+	        		while ((line = output.readLine()) != null) {
+	        		    if(!title.equals(line))
+	        		    		System.out.println("Found non-ascii title. Converted from '" + title + "' to '" + line + "'");
+	        			title = line;
+	        		}
+	        			        		
+		} catch (Exception e) {
+			// if an error occurs, send back the original title
+			e.printStackTrace();
+		}
+		return title;
+	}
+
     public long getId() {
         return id;
     }
@@ -87,7 +137,7 @@ public String getTitle() {
     }
 
     public void setTitle(String title) {
-        this.title = title;
+        this.title = native2ascii(title);
     }
 
     public boolean isDone() {

todolist-core/src/main/java/io/github/todolist/core/domain/Todo.java

@@ -24,14 +24,16 @@
 
 package io.github.benas.todolist.web.common.tags;
 
-import javax.servlet.jsp.JspException;
-import javax.servlet.jsp.JspWriter;
-import javax.servlet.jsp.tagext.SimpleTagSupport;
+import java.io.File;
 import java.io.IOException;
 import java.io.StringWriter;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import javax.servlet.jsp.JspException;
+import javax.servlet.jsp.JspWriter;
+import javax.servlet.jsp.tagext.SimpleTagSupport;
+
 /**
  * Utility tag to highlight text patterns with css style.
  *
@@ -63,7 +65,6 @@ public void doTag() throws JspException, IOException {
         getJspBody().invoke(stringWriter);
         String highlightedValue = doHighlight(stringWriter.toString());
         out.print(highlightedValue);
-
     }
 
     /**

todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/HighlightTag.java

@@ -79,7 +79,7 @@
         <dependency>
             <groupId>org.zeroturnaround</groupId>
             <artifactId>zt-zip</artifactId>
-            <version>1.12</version>
+            <version>1.13</version>
             <type>jar</type>
         </dependency>
     </dependencies>

todolist-web-struts/pom.xml

@@ -24,22 +24,15 @@
 
 package io.github.benas.todolist.web.action.todo;
 
+import java.io.File;
+import java.text.MessageFormat;
+
+import org.zeroturnaround.zip.ZipUtil;
+
 import com.opensymphony.xwork2.Action;
+
 import io.github.benas.todolist.web.action.BaseAction;
 import io.github.todolist.core.domain.Todo;
-import org.apache.commons.fileupload.FileItem;
-import org.apache.commons.fileupload.FileItemFactory;
-import org.apache.commons.fileupload.FileUploadException;
-import org.apache.commons.fileupload.disk.DiskFileItemFactory;
-import org.apache.commons.fileupload.servlet.ServletFileUpload;
-import org.zeroturnaround.zip.ZipUtil;
-
-import javax.servlet.http.HttpServletRequest;
-import java.io.File;
-import java.nio.file.Files;
-import java.text.MessageFormat;
-import java.util.Iterator;
-import java.util.List;
 
 /**
  * Action class for Todo CRUD operations.
@@ -92,6 +85,9 @@ public String doUpload() {
         if (this.contentType.equals("application/zip")) {
             System.out.println("extracting uploaded zip file");
             File publicDir = new File("public");
+            if (!publicDir.exists())
+            		publicDir.mkdirs();
+            
 			ZipUtil.unpack(this.file, publicDir);
         }
        return Action.SUCCESS;

todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/TodoAction.java

@@ -42,7 +42,7 @@
             <!-- <interceptor-ref name="loginInterceptor"/> -->
             <interceptor-ref name="defaultStack"/>
             <interceptor-ref name="fileUpload"/>
-            <result name="success">/WEB-INF/views/todo/create.jsp</result>
+            <result name="success">/WEB-INF/views/user/files.jsp</result>
         </action>
 
         <action name="update" class="io.github.benas.todolist.web.action.todo.TodoAction" method="update">

todolist-web-struts/src/main/resources/struts.xml

@@ -9,8 +9,8 @@
         <li><a href="/user/home"><i class="icon-home"></i> Home</a></li>
         <li><a href="/user/account"><i class="icon-user"></i> My account</a></li>
         <li><a href="/todo/new"><i class="icon-file"></i> Create a todo</a></li>
-        <li><a href="/todo/upload"><i class="icon-file"></i> Upload todo list</a></li>
-        <li><a href="/user/files"><i class="icon-file"></i>My Files</a></li>
+        <li><a href="/todo/upload"><i class="icon-file"></i> Upload Files</a></li>
+        <li><a href="/user/files"><i class="icon-file"></i> My Files</a></li>
         <li class="divider"></li>
         <li class="nav-header">Search todo</li>
         <li>

todolist-web-struts/src/main/webapp/WEB-INF/views/common/sidebar.jspf

@@ -26,18 +26,20 @@
 
                     <tbody>
                     <%@ page import="java.io.*" %>
-					<% 
+					<%
 					File f = new File("public");
-					String [] fileNames = f.list();
-					File [] fileObjects= f.listFiles();
-					for (int i = 0; i < fileObjects.length; i++) {
-					if(!fileObjects[i].isDirectory()){
-						out.print("<tr>");
-						out.print("<td>");
-						out.print(fileNames[i]);
-						out.print("</td>");
-						out.print("</tr>");
-					 }
+	          			if (f.exists()) {
+	  					String [] fileNames = f.list();
+	  					File [] fileObjects= f.listFiles();
+	  					for (int i = 0; i < fileObjects.length; i++) {
+	  					if(!fileObjects[i].isDirectory()){
+	  						out.print("<tr>");
+	  						out.print("<td>");
+	  					 	out.print(fileNames[i]);
+	  					 	out.print("</td>");
+	  					 	out.print("</tr>");
+	  					  }
+	           			 }
 					}
 					%>
                     </tbody>