What happened?

Issue Description

https://github.com/snyk/zip-slip-vulnerability

PathBasedAnalysisInputLocation The issue allows a zip file containing path traversal filenames to write outside the target directory. This can result in applications using better-files to be vulnerable to arbitrary file write/overwrite. This sort of vulnerability can result in tampering exploits to full system takeover of the application server.

Proof of Concept

public class Main { public static void main(String[] args) { PathBasedAnalysisInputLocation.create(new File("1.war").toPath(), SourceType.Application); Thread.sleep(60*1000); } }
sootup.java.bytecode.inputlocation.PathBasedAnalysisInputLocation.WarArchiveAnalysisInputLocation#extractWarFile must fix
Path filepath = destDirectory.resolve(zipEntry.getName());

Version

Latest release (e.g. via Maven)

Relevant log output

No response