Description
The patch file for CVE-2018-1002200 still has a vulnerability, which is a partial path traversal vulnerability.
In commit f8f4233, the extractFile function use if ( !canonicalDestPath.startsWith( canonicalDirPath ) )to check for path traversal vulnerabilities. But it still allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, userControlled.getCanonicalPath().startsWith("/usr/out") will allow an attacker to access a directory with a name like /usr/outnot.
Comparing paths with the java.nio.files.Path#startsWith will adequately protect againts this vulnerability.
For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())