Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cli): prevent "zip slip" vulnerability in tool extract #1305

Merged
merged 2 commits into from
Aug 5, 2023
Merged

fix(cli): prevent "zip slip" vulnerability in tool extract #1305

merged 2 commits into from
Aug 5, 2023
+71 −11

Conversation

eventualbuddha
Copy link
Contributor

@eventualbuddha eventualbuddha commented Aug 5, 2023
edited
Loading

Using the name directly from a zip archive's entry and writing to it is a potential security vulnerability. More information about the vulnerability can be found here: https://security.snyk.io/research/zip-slip-vulnerability and here https://docs.rs/zip/latest/zip/read/struct.ZipFile.html#warnings.

It looks like the previous version maybe tried to remove \ characters to prevent this, but only in directory paths?

For posterity, I created the zip files like so:

import zipfile
z = zipfile.ZipFile('dangerous.zip', 'w')
z.writestr('/etc/passwd', 'danger!')
z.close()

@eventualbuddha
fix(cli): prevent "zip slip" vulnerability in tool extract
14e7c50 
Using the name directly from a zip archive's entry and writing to it is a potential security vulnerability. More information about the vulnerability can be found here: https://security.snyk.io/research/zip-slip-vulnerability and here https://docs.rs/zip/latest/zip/read/struct.ZipFile.html#warnings.

It looks like the previous version maybe tried to remove `\` characters to prevent this, but only in directory paths?
@eventualbuddha
fix(cli): allows extracting files without separate directory entries
03e0259 
Some zip files do not list directories separately from files. For example, a zip might contain `dir/file.txt` without a corresponding entry for just `dir/`. This should be okay, so we just create the leading paths for the files we extract as necessary.

Also adds tests for the expected and dangerous path cases of `extract_zip`.
@jkelleyrtp jkelleyrtp merged commit ac30a9a into DioxusLabs:master Aug 5, 2023
@jkelleyrtp
Copy link
Member

Thanks for finding this. Really appreciate the security analysis!

Will release soon.

@eventualbuddha eventualbuddha deleted the fix/cli/prevent-zip-slip branch August 5, 2023 14:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkelleyrtp jkelleyrtp jkelleyrtp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eventualbuddha @jkelleyrtp