[SECURITY] Fix Zip Slip Vulnerability

carbon-p2-plugin/src/main/java/org/wso2/maven/p2/generate/utils/FileManagementUtil.java

@@ -425,6 +425,9 @@ public static void unzip(File archiveFile,File destination) throws Exception{
                 int count;
                 byte data[] = new byte[BUFFER];
                 File file = new File(base,entry.getName());
+                if (!file.toPath().normalize().startsWith(base.toPath().normalize())) {
+                    throw new IOException("Bad zip entry");
+                }
                 if (entry.getName().endsWith("/")){
                     file.mkdirs();
                     continue;

maven-car-plugin/src/main/java/org/wso2/maven/car/artifact/utils/FileManagementUtil.java

@@ -383,6 +383,9 @@ public static void unzip(File archiveFile,File destination) throws Exception{
 	             int count;
 	             byte data[] = new byte[BUFFER];
 	             File file = new File(base,entry.getName());
+               if (!file.toPath().normalize().startsWith(base.toPath().normalize())) {
+                   throw new IOException("Bad zip entry");
+               }
 	             if (entry.getName().endsWith("/")){
 	            	 file.mkdirs();
 	            	 continue;

org.wso2.maven.utils/src/main/java/org/wso2/developerstudio/eclipse/utils/archive/ArchiveManipulator.java

@@ -158,7 +158,10 @@ public void extractFromStream(InputStream inputStream, String extractDir) throws
             ZipEntry entry;
             while ((entry = zin.getNextEntry()) != null) {
                 String entryName = entry.getName();
-                File f = new File(extractDir + File.separator + entryName);
+                File f = new File(extractDir, entryName);
+                if (!f.toPath().normalize().startsWith(extractDir)) {
+                    throw new IOException("Bad zip entry");
+                }
 
                 if (entryName.endsWith("/") && !f.exists()) { // this is a
                     // directory
@@ -171,7 +174,7 @@ public void extractFromStream(InputStream inputStream, String extractDir) throws
                 String dirPath = "";
                 if (lastIndexOfSlash != -1) {
                     dirPath = entryName.substring(0, lastIndexOfSlash);
-                    File dir = new File(extractDir + File.separator + dirPath);
+                    File dir = new File(extractDir, dirPath);
                     if (!dir.exists()) {
                         dir.mkdirs();
                     }

org.wso2.maven.utils/src/main/java/org/wso2/developerstudio/eclipse/utils/file/FileUtils.java

@@ -661,7 +661,10 @@ public static void extractFromStream(InputStream inputStream, String extractDir)
             ZipEntry entry;
             while ((entry = zin.getNextEntry()) != null) {
                 String entryName = entry.getName();
-                File f = new File(extractDir + File.separator + entryName);
+                File f = new File(extractDir, entryName);
+                if (!f.toPath().normalize().startsWith(extractDir)) {
+                    throw new IOException("Bad zip entry");
+                }
 
                 if (entryName.endsWith("/") && !f.exists()) { // this is a
                     // directory
@@ -674,7 +677,7 @@ public static void extractFromStream(InputStream inputStream, String extractDir)
                 String dirPath = "";
                 if (lastIndexOfSlash != -1) {
                     dirPath = entryName.substring(0, lastIndexOfSlash);
-                    File dir = new File(extractDir + File.separator + dirPath);
+                    File dir = new File(extractDir, dirPath);
                     if (!dir.exists()) {
                         dir.mkdirs();
                     }