Skip to content

fix(cli): prevent "zip slip" vulnerability in tool extract #1305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jkelleyrtp merged 2 commits into from
Aug 5, 2023
Merged

fix(cli): prevent "zip slip" vulnerability in tool extract #1305

jkelleyrtp merged 2 commits into from
Aug 5, 2023

Conversation

@eventualbuddha
Copy link
Contributor

@eventualbuddha eventualbuddha commented Aug 5, 2023
edited
Loading

Using the name directly from a zip archive's entry and writing to it is a potential security vulnerability. More information about the vulnerability can be found here: https://security.snyk.io/research/zip-slip-vulnerability and here https://docs.rs/zip/latest/zip/read/struct.ZipFile.html#warnings.

It looks like the previous version maybe tried to remove \ characters to prevent this, but only in directory paths?

For posterity, I created the zip files like so:

import zipfile
z = zipfile.ZipFile('dangerous.zip', 'w')
z.writestr('/etc/passwd', 'danger!')
z.close()
@eventualbuddha
fix(cli): prevent "zip slip" vulnerability in tool extract
14e7c50 
Using the name directly from a zip archive's entry and writing to it is a potential security vulnerability. More information about the vulnerability can be found here: https://security.snyk.io/research/zip-slip-vulnerability and here https://docs.rs/zip/latest/zip/read/struct.ZipFile.html#warnings.

It looks like the previous version maybe tried to remove `\` characters to prevent this, but only in directory paths?
@eventualbuddha
fix(cli): allows extracting files without separate directory entries
03e0259 
Some zip files do not list directories separately from files. For example, a zip might contain `dir/file.txt` without a corresponding entry for just `dir/`. This should be okay, so we just create the leading paths for the files we extract as necessary.

Also adds tests for the expected and dangerous path cases of `extract_zip`.
@jkelleyrtp jkelleyrtp merged commit ac30a9a into DioxusLabs:master Aug 5, 2023
@jkelleyrtp
Copy link
Member

jkelleyrtp commented Aug 5, 2023

Thanks for finding this. Really appreciate the security analysis!

Will release soon.
@eventualbuddha eventualbuddha deleted the fix/cli/prevent-zip-slip branch August 5, 2023 14:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@eventualbuddha @jkelleyrtp