zip slip vulnerability

[xuwei-k]

• https://security.snyk.io/research/zip-slip-vulnerability
• https://github.com/snyk/zip-slip-vulnerability

How to fix? 🤔

• change filter: NameFilter = AllPassFilter default param?

  • io/io/src/main/scala/sbt/io/IO.scala

    Lines 367 to 386 in c0e0023

    	def unzip(
    	from: File,
    	toDirectory: File,
    	filter: NameFilter = AllPassFilter,
    	preserveLastModified: Boolean = true
    	): Set[File] =
    	fileInputStream(from)(in => unzipStream(in, toDirectory, filter, preserveLastModified))
    	def unzipURL(
    	from: URL,
    	toDirectory: File,
    	filter: NameFilter = AllPassFilter,
    	preserveLastModified: Boolean = true
    	): Set[File] =
    	urlInputStream(from)(in => unzipStream(in, toDirectory, filter, preserveLastModified))
    	def unzipStream(
    	from: InputStream,
    	toDirectory: File,
    	filter: NameFilter = AllPassFilter,

• add explicit filter param in user code?
  • https://github.com/sbt/sbt/blob/da41144f37c32cbc0a64e3a91b505ce568869166/main/src/main/scala/sbt/Resolvers.scala#L44
  • https://github.com/sbt/sbt/blob/da41144f37c32cbc0a64e3a91b505ce568869166/main/src/main/scala/sbt/internal/RemoteCache.scala#L416
• another solutions?

[eed3si9n]

I have a fix here - #360