Fixes zip-slip vulnerability

Fixes sbt#358
Ref codehaus-plexus/plexus-archiver 87

**Problem**
IO.unzip currently has zip-slip vulnerability, which can write arbitrary
files on the machine using specially crafted zip archive that holds path
traversal file names.

**Solution**
This replicates the fix originally sent to plex-archiver by Snyk Team.

Author: eed3si9n

io/src/main/scala/sbt/io/IO.scala

@@ -387,35 +387,43 @@ object IO {
       preserveLastModified: Boolean = true
   ): Set[File] = {
     createDirectory(toDirectory)
-    zipInputStream(from)(zipInput => extract(zipInput, toDirectory, filter, preserveLastModified))
+    zipInputStream(from)(zipInput =>
+      extract(zipInput, toDirectory.toPath, filter, preserveLastModified)
+    )
   }
 
   private def extract(
       from: ZipInputStream,
-      toDirectory: File,
+      toDirectory: NioPath,
       filter: NameFilter,
       preserveLastModified: Boolean
   ) = {
-    val set = new HashSet[File]
+    val set = new HashSet[NioPath]
+    val canonicalDirPath = toDirectory.normalize().toString
+    def validateExtractPath(name: String, target: NioPath): Unit =
+      if (!target.normalize().toString.startsWith(canonicalDirPath)) {
+        throw new RuntimeException(s"Entry ($name) is outside of the target directory")
+      }
     @tailrec def next(): Unit = {
       val entry = from.getNextEntry
       if (entry == null)
         ()
       else {
         val name = entry.getName
         if (filter.accept(name)) {
-          val target = new File(toDirectory, name)
+          val target = toDirectory.resolve(name)
+          validateExtractPath(name, target)
           // log.debug("Extracting zip entry '" + name + "' to '" + target + "'")
           if (entry.isDirectory)
-            createDirectory(target)
+            createDirectory(target.toFile)
           else {
             set += target
             translate("Error extracting zip entry '" + name + "' to '" + target + "': ") {
-              fileOutputStream(false)(target)(out => transfer(from, out))
+              fileOutputStream(false)(target.toFile)(out => transfer(from, out))
             }
           }
           if (preserveLastModified)
-            setModifiedTimeOrFalse(target, entry.getTime)
+            setModifiedTimeOrFalse(target.toFile, entry.getTime)
         } else {
           // log.debug("Ignoring zip entry '" + name + "'")
         }
@@ -424,7 +432,7 @@ object IO {
       }
     }
     next()
-    Set() ++ set
+    (Set() ++ set).map(_.toFile)
   }
 
   // TODO: provide a better API to download things.

io/src/test/resources/zip-slip.zip

@@ -24,6 +24,7 @@ object WriteContentSpecification extends Properties("Write content") {
   property("Append string appends") = forAll(appendAndCheckStrings _)
   property("Append bytes appends") = forAll(appendAndCheckBytes _)
   property("Unzip doesn't stack overflow") = largeUnzip()
+  property("Unzip errors given parent traversal") = testZipSlip()
 
   implicit lazy val validChar: Arbitrary[Char] = Arbitrary(
     for (i <- Gen.choose(0, 0xd7ff)) yield i.toChar
@@ -39,6 +40,16 @@ object WriteContentSpecification extends Properties("Write content") {
     true
   }
 
+  private def testZipSlip() = {
+    val badFile = new File("io/src/test/resources/zip-slip.zip")
+    try {
+      unzipFile(badFile)
+      false
+    } catch {
+      case e: RuntimeException => e.getMessage.contains("outside of the target directory")
+    }
+  }
+
   private def testUnzip[T](implicit mf: Manifest[T]) =
     unzipFile(IO.classLocationFileOption(mf.runtimeClass).getOrElse(sys.error(s"$mf")))