Merge pull request #152 from BulkSecurityGeneratorProjectV2/fix/JLL/zip-slip-vulnerability

[SECURITY] Fix Zip Slip Vulnerability

Author: forgivedengkai

fate-serving-common/src/main/java/com/webank/ai/fate/serving/common/utils/ZipUtil.java

@@ -54,7 +54,11 @@ public static String unzip(File zipFile, String outputDirectory) throws Exceptio
             while (entries.hasMoreElements()) {
                 ZipEntry entry = entries.nextElement();
 
-                File outputFile = new File(outputDirectory + uuid + File.separator + entry.getName());
+                File outputFile = new File(outputDirectory + uuid, entry.getName());
+
+                if (!outputFile.toPath().normalize().startsWith(outputDirectory + uuid)) {
+                    throw new RuntimeException("Bad zip entry");
+                }
                 if (entry.isDirectory()) {
                     outputFile.mkdirs();
                     continue;