Fix Zip Slip vulnerability in archive extraction

[Copilot]

Summary

Fixes the Zip Slip vulnerability (arbitrary file write during archive extraction) in the Expand class by improving path validation to prevent directory traversal attacks.

Resolves: https://github.com/codehaus-plexus/plexus-utils/security/code-scanning/1

Problem

The Zip Slip vulnerability is a form of directory traversal attack that allows a malicious zip file to write files outside the intended extraction directory. The original validation in Expand.extractFile() was insufficient:

if (!f.getAbsolutePath().startsWith(dir.getAbsolutePath())) {
    throw new IOException("Entry '" + entryName + "' outside the target directory.");
}

This check had two critical flaws:

1. Used absolute paths instead of canonical paths: Didn't account for symbolic links or path normalization
2. Vulnerable to prefix matching: A malicious entry could write to /tmp/extract-evil/malicious.txt when extracting to /tmp/extract because the absolute path string starts with the target directory prefix

Solution

The fix uses canonical paths and adds a file separator to the directory path check to prevent prefix matching attacks:

try {
    String canonicalDirPath = dir.getCanonicalPath();
    String canonicalFilePath = f.getCanonicalPath();

    // Ensure the file is within the target directory
    // We need to check that the canonical file path starts with the canonical directory path
    // followed by a file separator to prevent path traversal attacks
    if (!canonicalFilePath.startsWith(canonicalDirPath + File.separator)
            && !canonicalFilePath.equals(canonicalDirPath)) {
        throw new IOException("Entry '" + entryName + "' outside the target directory.");
    }
} catch (IOException e) {
    throw new IOException("Failed to verify entry path for '" + entryName + "'", e);
}

Test Coverage

Added comprehensive test cases in ExpandTest.java:

• Parent directory traversal attacks (../../evil.txt)
• Absolute path attacks
• Prefix matching attacks (extracting to similarly-named directories)
• Regression test for normal zip extraction

Verification

• ✅ All 249 tests pass (4 new + 245 existing)
• ✅ CodeQL security scan confirms 0 vulnerabilities
• ✅ Code formatting and build checks pass
• ✅ No breaking changes to existing functionality

The fix is minimal and surgical, changing only 13 lines in the security-critical path validation logic.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Fix code scanning alert - Arbitrary file write during archive extraction ("Zip Slip")</issue_title>
<issue_description>

Tracking issue for:

• https://github.com/codehaus-plexus/plexus-utils/security/code-scanning/1
  </issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #248

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.