Fix Zip Slip vulnerability in archive extraction

[Copilot]

Summary

Fixes the Zip Slip vulnerability (arbitrary file write during archive extraction) in the Expand class by improving path validation to prevent directory traversal attacks.

Resolves: https://github.com/codehaus-plexus/plexus-utils/security/code-scanning/1

Problem

The Zip Slip vulnerability is a form of directory traversal attack that allows a malicious zip file to write files outside the intended extraction directory. The original validation in Expand.extractFile() was insufficient:

if (!f.getAbsolutePath().startsWith(dir.getAbsolutePath())) {
    throw new IOException("Entry '" + entryName + "' outside the target directory.");
}

This check had two critical flaws:

1. Used absolute paths instead of canonical paths: Didn't account for symbolic links or path normalization
2. Vulnerable to prefix matching: A malicious entry could write to /tmp/extract-evil/malicious.txt when extracting to /tmp/extract because the absolute path string starts with the target directory prefix

Solution

The fix uses canonical paths and adds a file separator to the directory path check to prevent prefix matching attacks:

try {
    String canonicalDirPath = dir.getCanonicalPath();
    String canonicalFilePath = f.getCanonicalPath();

    // Ensure the file is within the target directory
    // We need to check that the canonical file path starts with the canonical directory path
    // followed by a file separator to prevent path traversal attacks
    if (!canonicalFilePath.startsWith(canonicalDirPath + File.separator)
            && !canonicalFilePath.equals(canonicalDirPath)) {
        throw new IOException("Entry '" + entryName + "' outside the target directory.");
    }
} catch (IOException e) {
    throw new IOException("Failed to verify entry path for '" + entryName + "'", e);
}

Test Coverage

Added comprehensive test cases in ExpandTest.java:

• Parent directory traversal attacks (../../evil.txt)
• Absolute path attacks
• Prefix matching attacks (extracting to similarly-named directories)
• Regression test for normal zip extraction

Verification

• ✅ All 249 tests pass (4 new + 245 existing)
• ✅ CodeQL security scan confirms 0 vulnerabilities
• ✅ Code formatting and build checks pass
• ✅ No breaking changes to existing functionality

The fix is minimal and surgical, changing only 13 lines in the security-critical path validation logic.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Fix code scanning alert - Arbitrary file write during archive extraction ("Zip Slip")</issue_title>
<issue_description>

Tracking issue for:

• https://github.com/codehaus-plexus/plexus-utils/security/code-scanning/1
  </issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #248

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[cstamas]

Can we have this backported to 3.x line as well?

[cstamas]

NVM, missed it is already backported to 3.x

[gsmet]

@cstamas it has been backported but I don't see a 3.x release so it's still an issue, right?

[cstamas]

Right, 3.x branch has the fix, but 3.6.0 is last release, 3.6.1 yet to happen.

[gsmet]

@slachiewicz 👋 is there a plan for releasing a 3.x for Maven 3 consumption? Thanks!

[headius]

We have had a request to update the ruby-maven-libs Ruby gem to include this change. ruby-maven-libs is just a container for a complete Maven 3.x distribution, and we would prefer not to have to patch individual elements of that distribution. Therefore we are also interested in this update getting into a Maven 3 release.

[cstamas]

Plexus Utils 3.6.1 w/ fix is released. For Maven 3.9.x it may take some more time. Also, Maven 3.10.x is in preparation (goal is Resolver 2.x shipped with it).