Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Path Escape Vulerability #304

Merged
merged 7 commits into from
Dec 18, 2023
Merged

Fix Path Escape Vulerability #304

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
83a5959
Ensure directory path delimiter for test destination directory
weichsel Dec 17, 2023
95095e7
Rename test case
weichsel Dec 17, 2023
de36275
Add test case to test for directory delimiter-based traversal attacks
weichsel Dec 17, 2023
1a284d0
Add path delimiter test method to test list
weichsel Dec 17, 2023
f000f30
Ensure that crafted entry paths can't be used for escapes in `fopen`
weichsel Dec 17, 2023
6413d1f
Add explanatory comment
weichsel Dec 17, 2023
d99f75e
Refine explanatory comment
weichsel Dec 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 17 additions & 1 deletion Sources/ZIPFoundation/FileManager+ZIP.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -347,9 +347,25 @@ extension CocoaError {
}

public extension URL {

func isContained(in parentDirectoryURL: URL) -> Bool {
// Ensure this URL is contained in the passed in URL
let parentDirectoryURL = URL(fileURLWithPath: parentDirectoryURL.path, isDirectory: true).standardized
return self.standardized.absoluteString.hasPrefix(parentDirectoryURL.absoluteString)
// Maliciously crafted ZIP files can contain entries using a prepended path delimiter `/` in combination
// with the parent directory shorthand `..` to bypass our containment check.
// When a malicious entry path like e.g. `/../secret.txt` gets appended to the destination
// directory URL (e.g. `file:///tmp/`), the resulting URL `file:///tmp//../secret.txt` gets expanded
// to `file:///tmp/secret` when using `URL.standardized`. This URL would pass the check performed
// in `isContained(in:)`.
// Lower level API like POSIX `fopen` - which is used at a later point during extraction - expands
// `/tmp//../secret.txt` to `/secret.txt` though. This would lead to an escape to the parent directory.
// To avoid that, we replicate the behavior of `fopen`s path expansion and replace all double delimiters
// with single delimiters.
// More details: https://github.com/weichsel/ZIPFoundation/issues/281
let sanitizedEntryPathURL: URL = {
let sanitizedPath = self.path.replacingOccurrences(of: "//", with: "/")
return URL(fileURLWithPath: sanitizedPath)
}()
return sanitizedEntryPathURL.standardized.absoluteString.hasPrefix(parentDirectoryURL.absoluteString)
}
}
Binary file added Tests/ZIPFoundationTests/Resources/testPathDelimiterTraversalAttack.zip
View file
Open in desktop
Binary file not shown.
0 ...onTests/Resources/testTraversalAttack.zip → ...s/Resources/testSimpleTraversalAttack.zip
View file
Open in desktop
File renamed without changes.
10 changes: 9 additions & 1 deletion Tests/ZIPFoundationTests/ZIPFoundationReadingTests.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -275,7 +275,15 @@ extension ZIPFoundationTests {
throws: Archive.ArchiveError.invalidCRC32)
}

func testTraversalAttack() {
func testSimpleTraversalAttack() {
let fileManager = FileManager()
let archive = self.archive(for: #function, mode: .read)
let destinationURL = self.createDirectory(for: #function)
XCTAssertCocoaError(try fileManager.unzipItem(at: archive.url, to: destinationURL),
throwsErrorWithCode: .fileReadInvalidFileName)
}

func testPathDelimiterTraversalAttack() {
let fileManager = FileManager()
let archive = self.archive(for: #function, mode: .read)
let destinationURL = self.createDirectory(for: #function)
Expand Down
11 changes: 6 additions & 5 deletions Tests/ZIPFoundationTests/ZIPFoundationTests.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,16 +118,16 @@ class ZIPFoundationTests: XCTestCase {

func createDirectory(for testFunction: String) -> URL {
let fileManager = FileManager()
var URL = ZIPFoundationTests.tempZipDirectoryURL
URL = URL.appendingPathComponent(self.pathComponent(for: testFunction))
var url = ZIPFoundationTests.tempZipDirectoryURL
url = url.appendingPathComponent(self.pathComponent(for: testFunction), isDirectory: true)
do {
try fileManager.createDirectory(at: URL, withIntermediateDirectories: true, attributes: nil)
try fileManager.createDirectory(at: url, withIntermediateDirectories: true, attributes: nil)
} catch {
XCTFail("Failed to get create directory for test function:\(testFunction)")
type(of: self).tearDown()
preconditionFailure()
}
return URL
return url
}

func runWithUnprivilegedGroup(handler: () throws -> Void) {
Expand Down Expand Up @@ -253,7 +253,8 @@ extension ZIPFoundationTests {
("testRemoveEntryErrorConditions", testRemoveEntryErrorConditions),
("testRemoveUncompressedEntry", testRemoveUncompressedEntry),
("testTemporaryReplacementDirectoryURL", testTemporaryReplacementDirectoryURL),
("testTraversalAttack", testTraversalAttack),
("testSimpleTraversalAttack", testSimpleTraversalAttack),
("testPathDelimiterTraversalAttack", testPathDelimiterTraversalAttack),
("testUnzipItem", testUnzipItem),
("testUnzipItemWithPreferredEncoding", testUnzipItemWithPreferredEncoding),
("testUnzipItemErrorConditions", testUnzipItemErrorConditions),
Expand Down
Loading