mybatis · hazendaz · Apr 28, 2025
diff --git a/src/main/java/org/apache/ibatis/migration/io/DefaultVFS.java b/src/main/java/org/apache/ibatis/migration/io/DefaultVFS.java
@@ -80,7 +80,16 @@
                 if (log.isLoggable(Level.FINER)) {
                   log.log(Level.FINER, "Jar entry: " + entry.getName());
                 }
-                children.add(entry.getName());
+                String entryName = entry.getName();
@@ -91,3 +91,4 @@
                }
-                children.add(entryName);
+                // Add only the sanitized and validated entry name
+                children.add(entryFile.getName());
              }
@@ -91,3 +91,4 @@
                }
-                children.add(entryName);
+                // Add only the sanitized and validated entry name
+                children.add(entryFile.getName());
              }
+                File entryFile = new File(path, entryName).getCanonicalFile();
+                File baseDir = new File(path).getCanonicalFile();
+                if (!entryFile.toPath().startsWith(baseDir.toPath())) {
+                  if (log.isLoggable(Level.WARNING)) {
+                    log.log(Level.WARNING, "Skipping potentially unsafe entry: " + entryName);
+                  }
+                  continue;
+                }
+                children.add(entryName);
               }
             }
           } else {