CVE-2023-28465

An attacker crafts a malicious FHIR package (e.g., an NPM package) containing a zip entry with a path that uses `../` traversal sequences. If the attacker's chosen directory name is a substring of an allowed directory name, the previous validation could be bypassed. The attacker supplies the malicious package to the package-decompression feature, which calls `Utilities.path()` to construct the output path. Because the path construction did not verify that the final resolved path still starts with the intended base directory, the attacker could write files to arbitrary directories on the filesystem [patch_id=1640911].

The vulnerability resides in the `Utilities.path()` method within `org.hl7.fhir.utilities`. The incomplete fix for CVE-2023-24057 allowed directory traversal when an attacker-supplied directory name is a substring of an allowed directory name. The patch adds validation in `Utilities.path()` to reject computed paths that do not start with the first path element, preventing traversal outside the intended base directory.

The fix adds validation in `Utilities.path()` that checks whether the computed path starts with the first path element provided. If the computed path does not start with that first element, a `RuntimeException` is thrown, preventing directory traversal. The patch also adds extensive parameterized tests covering Windows root paths (e.g., `C:\`), macOS/Linux root paths (e.g., `/`), and non-first-element start paths to ensure the validation works correctly across platforms [patch_id=1640911]. The release version was bumped from `5.6.106-SNAPSHOT` to `5.6.106` [patch_id=1640906].