Skip to content
This repository has been archived by the owner on May 15, 2024. It is now read-only.

Sanitize zip entry paths before extracting #121

Merged
merged 2 commits into from
May 7, 2018

Conversation

shana
Copy link
Collaborator

@shana shana commented May 2, 2018

Zip entries can contain relative paths that end up outside the extraction directory if used as-is, for instance ..\..\..\..\file.txt, which can be a potential security risk. This sanitizes all paths before extraction while ensuring that valid relative paths are not lost.

  • a\..\c\file.txt -> c\file.txt
  • a\..\..\c\file.txt -> c\file.txt
  • ..\..\..\..\c\file.txt -> c\file.txt
  • a\b\..\c\file.txt -> a\c\file.txt
  • a\b\c\..\e\..\..\f\file.txt -> a\f\file.txt

Many thanks to Snyk Security Research Team for tracking down this issue.

shana added 2 commits May 1, 2018 14:52
Zip entries can contain relative paths that end up outside the extraction
directory if used as-is, for instance "..\..\..\..\file.txt", which can be
a potential security risk. This sanitizes all paths before extraction while
ensuring that valid relative paths are not lost.

- "a\..\c\file.txt" -> "c\file.txt"
- "a\..\..\c\file.txt" -> "c\file.txt"
- "..\..\..\..\c\file.txt" -> "c\file.txt"
- "a\b\..\c\file.txt" -> "a\c\file.txt"
- "a\b\c\..\e\..\..\f\file.txt" -> "a\f\file.txt"
@shana shana merged commit 55d2c13 into haf:master May 7, 2018
@shana shana deleted the bugs/relative-paths branch May 7, 2018 19:30
@haf haf mentioned this pull request Nov 13, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant