From 05c88a17e994b36b1372f00f7c0b68be3bb05fdd Mon Sep 17 00:00:00 2001
From: teresa <teresa.hong.2023@cis.smu.edu.sg>
Date: Tue, 3 Jun 2025 17:58:43 +0800
Subject: [PATCH] Fix Zip Slip Vulnerability in unzipToDir Method

The `unzipToDir` method in the utility class is vulnerable to a Zip Slip attack. This vulnerability allows an attacker to craft a malicious ZIP file with entries containing path traversal sequences (e.g., "../") that can write files outside the intended destination directory when extracted.

## Security Impact
- **Before:** An attacker could craft a malicious ZIP archive that writes files anywhere on the filesystem
- **After:** Extraction is limited to the specified destination directory, preventing path traversal attacks

Reference
https://github.com/Xilinx/RapidWright/commit/acbe05349dca765b184159fa114ea9875f50d0f7
https://cwe.mitre.org/data/definitions/22.html
---
 common/src/main/java/haveno/common/util/ZipUtils.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/common/src/main/java/haveno/common/util/ZipUtils.java b/common/src/main/java/haveno/common/util/ZipUtils.java
index f5a32b69d9..5e7791543a 100644
--- a/common/src/main/java/haveno/common/util/ZipUtils.java
+++ b/common/src/main/java/haveno/common/util/ZipUtils.java
@@ -104,6 +104,10 @@ public class ZipUtils {
             int count;
             while ((entry = zipStream.getNextEntry()) != null) {
                 File file = new File(dir, entry.getName());
+                if (!file.toPath().normalize().startsWith(dir.toPath())) {
+                    throw new SecurityException("ZIP entry contains path traversal attempt: " + entry.getName());
+                }
+                
                 if (entry.isDirectory()) {
                     file.mkdirs();
                 } else {