Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Directory traversal (unsafe unzip) vulnerability #1840
Describe the bug
It is possible to create files outside the temporary folder by importing a zip file containing files with relative paths. This can be used to create scripts and configurations at locations where they can be picked up by applications, other scripts or executed during start up.
Additional information https://snyk.io/research/zip-slip-vulnerability
Steps to reproduce the behavior:
Create payload and start server on Linux
Steps on openrefine
No error nor warning.
Warn the user about dangerous content in the zip and prevent the creation of the file.
The video is inside a zip file because github filexetension restrictions.
Desktop (please complete the following information):
OpenRefine (please complete the following information):
@itsacoderepo Do you recommend a fix such as what Sonarqube did ? SonarSource/sonarqube@08438a2#diff-6d8def68a00bf88a105528765f02fb95
or another method / library ?
Is the CVE-2018-19859 vulnerability fixed in the 3.2-beta? The history above and the bug fix summary for 3.2-beta seems to indicate it has - but you indicate above that you've allocated some work to 3.5. As a result the CVE record (https://nvd.nist.gov/vuln/detail/CVE-2018-19859) indicates that it won't be fixed until 3.5. My work won't let me use the software until the NIST vulnerabilities are fixed
CVE database now updated to indicate that this has been fixed in 3.2-beta http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19859