fixed partial path travesal bypass, bumped version, fixed bug in readme

Author: nahsra

README.md

@@ -35,22 +35,22 @@ In Maven:
 <dependency>
   <groupId>io.github.pixee</groupId>
   <artifactId>java-security-toolkit</artifactId>
-  <version>1.1.1</version>
+  <version>1.1.2</version>
 </dependency>
 ```
 In Gradle:
 ```kotlin
-implementation("io.github.pixee:java-security-toolkit:1.1.1")
+implementation("io.github.pixee:java-security-toolkit:1.1.2")
 ```
 
 ## Contributing 
 We'd love to get contributions! See [CONTRIBUTING.md](CONTRIBUTING.md).
 
 ### Building
-Building is meant for Java 11 and Maven 3:
+Building is meant for Java 11:
 
 ```
-mvn clean package
+./gradlew check
 ```
 
 ## FAQ

build.gradle.kts

@@ -91,7 +91,7 @@ tasks.named(java11SourceSet.jarTaskName) {
 }
 
 group = "io.github.pixee"
-version = "1.1.1"
+version = "1.1.2"
 description = "java-security-toolkit"
 
 

src/main/java/io/github/pixee/security/ZipSecurity.java

@@ -4,6 +4,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.Charset;
+import java.nio.file.Path;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 
@@ -69,7 +70,7 @@ private boolean containsEscapesAndTargetsBelowRoot(final String name) {
       if (name.contains("../") || name.contains("..\\")) {
         final File fileWithEscapes = new File(name);
         try {
-          if (isBelowCurrentDirectory(fileWithEscapes)) {
+          if (isBelowOrSisterToCurrentDirectory(fileWithEscapes)) {
             return true;
           }
         } catch (IOException e) {
@@ -79,11 +80,11 @@ private boolean containsEscapesAndTargetsBelowRoot(final String name) {
       return false;
     }
 
-    boolean isBelowCurrentDirectory(final File fileWithEscapes) throws IOException {
+    private boolean isBelowOrSisterToCurrentDirectory(final File fileWithEscapes) throws IOException {
       final File currentDirectory = new File("");
-      String canonicalizedTargetPath = fileWithEscapes.getCanonicalPath();
-      String canonicalizedCurrentPath = currentDirectory.getCanonicalPath();
-      return !canonicalizedTargetPath.startsWith(canonicalizedCurrentPath);
+      Path currentPathRoot = currentDirectory.getCanonicalFile().toPath();
+      Path pathWithEscapes = fileWithEscapes.getCanonicalFile().toPath();
+      return pathWithEscapes.startsWith(currentPathRoot) || pathWithEscapes.getParent().equals(currentPathRoot.getParent());
     }
 
     private boolean isRootFileEntry(final String name) {

src/test/java/io/github/pixee/security/ZipSecurityTest.java

@@ -4,10 +4,7 @@
 import static org.hamcrest.Matchers.equalTo;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
+import java.io.*;
 import java.nio.charset.StandardCharsets;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
@@ -50,6 +47,19 @@ void it_prevents_escapes(String path) throws IOException {
     assertThrows(SecurityException.class, hardenedStream::getNextEntry);
   }
 
+  /**
+   *
+   */
+  @Test
+  void it_prevents_sister_directory_escape() throws IOException {
+    String currentDir = new File("").getCanonicalFile().getName();
+    ZipEntry entry = new ZipEntry("foo/../../" + currentDir + "-other-sister-dir");
+    InputStream is = createZipFrom(entry);
+
+    ZipInputStream hardenedStream = ZipSecurity.createHardenedInputStream(is);
+    assertThrows(SecurityException.class, hardenedStream::getNextEntry);
+  }
+
   @Test
   void it_prevents_absolute_paths_in_zip_entries() throws IOException {
     ZipEntry entry = new ZipEntry("/foo.txt");