MITM based Zip Slip in `org.hl7.fhir.publisher:org.hl7.fhir.publisher`
Critical severity
GitHub Reviewed
Published
Jan 23, 2023
in
HL7/fhir-ig-publisher
•
Updated Jan 23, 2023
Package
Affected versions
< 1.2.30
Patched versions
1.2.30
Description
Published to the GitHub Advisory Database
Jan 23, 2023
Reviewed
Jan 23, 2023
Last updated
Jan 23, 2023
Impact
MITM can enable Zip-Slip.
Vulnerability
Vulnerability 1:
Publisher.java
There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.
https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/Publisher.java#L3598-L3610
Vulnerability 2:
WebSourceProvider.java
There is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes.
https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/web/WebSourceProvider.java#L104-L112
Vulnerability 3:
ZipFetcher.java
This retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system.
https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/ZipFetcher.java#L57-L106
Vulnerability 4:
IGPack2NpmConvertor.java
The loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system.
https://github.com/HL7/fhir-ig-publisher/blob/87313e92de6dd6cea816449e0edd225e054a7891/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/IGPack2NpmConvertor.java#L442-L463
References