Test symlinks

src/WordPress/Zip/ZipException.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace WordPress\Zip;
+
+use Exception;
+
+class ZipException extends Exception {}

src/WordPress/Zip/functions.php

@@ -14,8 +14,14 @@ function zip_extract_to( $fp, $to_path ) {
 			continue;
 		}
 
+		// prevent zip slip -> using relative path to access otherwise inaccessible files
 		if ( false !== strpos( $entry->path ,'..') ) {
-			continue;
+			throw new ZipException("Relative paths in zips are not allowed.");
+		}
+
+		// prevent zip with symlinks -> using a symbolic link to access otherwise inaccessible files
+		if ( is_link( $entry->path ) ) {
+			throw new ZipException("Semantic links in zips are not allowed.");
 		}
 
 		$path   = Path::canonicalize( $to_path . '/' . $entry->path );

tests/unit/zip/ZipFunctionsTest.php

@@ -3,17 +3,25 @@
 namespace unit\zip;
 
 use PHPUnitTestCase;
-use Symfony\Component\Filesystem\Path;
+use WordPress\Zip\ZipException;
 use function WordPress\Zip\zip_extract_to;
 
 class ZipFunctionsTest extends PHPUnitTestCase {
-	public function testIsImmuneToZipSlipVulnerability() {
+	public function testThrowsExceptionWhenZipContainsFilesWithRelativePaths() {
 		// zipped file named: "../../../../../../../../tmp/zip-slip-test.txt"
 		$zip = __DIR__ . '/resources/zip-slip-test.zip';
 
-		zip_extract_to( fopen( $zip, 'rb' ), dirname( $zip ) );
+		self::expectException(ZipException::class);
+		self::expectExceptionMessage("Relative paths in zips are not allowed.");
+		zip_extract_to(fopen($zip, 'rb'), dirname($zip));
+	}
+
+	public function testThrowsExceptionWhenZipContainsFilesWithSymlinks() {
+		// zipped semantic link
+		$zip = __DIR__ . '/resources/zip-symlinks-test.zip';
 
-		$slipped_file = Path::canonicalize(__DIR__ . "../../../../../../../../tmp/zip-slip-test.txt");
-		self::assertFileDoesNotExist( $slipped_file );
+		self::expectException(ZipException::class);
+		self::expectExceptionMessage("Relative paths in zips are not allowed.");
+		zip_extract_to(fopen($zip, 'rb'), dirname($zip));
 	}
 }