Check for root directory exposure also for folder retention.

raphw · raphw · commit 9c87723d0fdb · 2026-04-22T00:22:55.000+02:00
diff --git a/byte-buddy-dep/src/main/java/net/bytebuddy/build/Plugin.java b/byte-buddy-dep/src/main/java/net/bytebuddy/build/Plugin.java
@@ -3860,11 +3860,15 @@ public void store(ClassFileVersion classFileVersion, Map<TypeDescription, byte[]
                 public void retain(Source.Element element) throws IOException {
                     String name = element.getName();
                     File target = new File(folder, name);
-                    if (!name.endsWith("/")) {
+                    String basePath = folder.getCanonicalPath(), targetPath = target.getCanonicalPath(), prefix = basePath;
+                    if (!prefix.endsWith(File.separator)) {
+                        prefix += File.separatorChar;
+                    }
+                    if (!targetPath.equals(basePath) && !targetPath.startsWith(prefix)) {
+                        throw new IllegalArgumentException(target + " is not a subdirectory of " + folder);
+                    } else if (!name.endsWith("/")) {
                         File resolved = element.resolveAs(File.class);
-                        if (!target.getCanonicalPath().startsWith(folder.getCanonicalPath() + File.separatorChar)) {
-                            throw new IllegalArgumentException(target + " is not a subdirectory of " + folder);
-                        } else if (!target.getParentFile().isDirectory() && !target.getParentFile().mkdirs()) {
+                        if (!target.getParentFile().isDirectory() && !target.getParentFile().mkdirs()) {
                             throw new IOException("Could not create directory: " + target.getParent());
                         } else if (resolved != null && !resolved.equals(target)) {
                             if (link) {
diff --git a/byte-buddy-dep/src/test/java/net/bytebuddy/build/PluginEngineTargetForFolderTest.java b/byte-buddy-dep/src/test/java/net/bytebuddy/build/PluginEngineTargetForFolderTest.java
@@ -209,4 +209,12 @@ public void testCannotWriteRelativeLocation() throws Exception {
         when(element.getName()).thenReturn("../illegal");
         target.write(Plugin.Engine.Source.Origin.NO_MANIFEST).retain(element);
     }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testCannotWriteRelativeDirectory() throws Exception {
+        Plugin.Engine.Target target = new Plugin.Engine.Target.ForFolder(folder);
+        Plugin.Engine.Source.Element element = mock(Plugin.Engine.Source.Element.class);
+        when(element.getName()).thenReturn("../illegal/");
+        target.write(Plugin.Engine.Source.Origin.NO_MANIFEST).retain(element);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -209,4 +209,12 @@ public void testCannotWriteRelativeLocation() throws Exception {`
`209`	`209`	`when(element.getName()).thenReturn("../illegal");`
`210`	`210`	`target.write(Plugin.Engine.Source.Origin.NO_MANIFEST).retain(element);`
`211`	`211`	`}`
	`212`	`+`
	`213`	`+ @Test(expected = IllegalArgumentException.class)`
	`214`	`+ public void testCannotWriteRelativeDirectory() throws Exception {`
	`215`	`+ Plugin.Engine.Target target = new Plugin.Engine.Target.ForFolder(folder);`
	`216`	`+ Plugin.Engine.Source.Element element = mock(Plugin.Engine.Source.Element.class);`
	`217`	`+ when(element.getName()).thenReturn("../illegal/");`
	`218`	`+ target.write(Plugin.Engine.Source.Origin.NO_MANIFEST).retain(element);`
	`219`	`+ }`
`212`	`220`	`}`