Merge pull request #374 from odinn1984/feat/fail_on_outside_target_files

fix: prevent extracting archived files outside of target path
adamhathcock · May 2, 2018 · 42b1205 · 42b1205
2 parents 259acd0 + 80ceb1c
commit 42b1205
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 2 deletions.
diff --git a/src/SharpCompress/Archives/IArchiveEntryExtensions.cs b/src/SharpCompress/Archives/IArchiveEntryExtensions.cs
@@ -48,6 +48,7 @@ public static void WriteTo(this IArchiveEntry archiveEntry, Stream streamToWrite
         {
             string destinationFileName;
             string file = Path.GetFileName(entry.Key);
+            string fullDestinationDirectoryPath = Path.GetFullPath(destinationDirectory);
 
             options = options ?? new ExtractionOptions()
                                  {
@@ -58,19 +59,35 @@ public static void WriteTo(this IArchiveEntry archiveEntry, Stream streamToWrite
             if (options.ExtractFullPath)
             {
                 string folder = Path.GetDirectoryName(entry.Key);
-                string destdir = Path.Combine(destinationDirectory, folder);
+                string destdir = Path.GetFullPath(
+                                    Path.Combine(fullDestinationDirectoryPath, folder)
+                                 );
+
                 if (!Directory.Exists(destdir))
                 {
+                    if (!destdir.StartsWith(fullDestinationDirectoryPath))
+                    {
+                        throw new ExtractionException("Entry is trying to create a directory outside of the destination directory.");
+                    }
+
                     Directory.CreateDirectory(destdir);
                 }
                 destinationFileName = Path.Combine(destdir, file);
             }
             else
             {
-                destinationFileName = Path.Combine(destinationDirectory, file);
+                destinationFileName = Path.Combine(fullDestinationDirectoryPath, file);
             }
+
             if (!entry.IsDirectory)
             {
+                destinationFileName = Path.GetFullPath(destinationFileName);
+
+                if (!destinationFileName.StartsWith(fullDestinationDirectoryPath))
+                {
+                    throw new ExtractionException("Entry is trying to write a file outside of the destination directory.");
+                }
+
                 entry.WriteToFile(destinationFileName, options);
             }
         }

diff --git a/tests/SharpCompress.Test/Zip/ZipArchiveTests.cs b/tests/SharpCompress.Test/Zip/ZipArchiveTests.cs
@@ -433,7 +433,34 @@ public void Zip_Deflate_PKWear_Multipy_Entry_Access()
                     }
                 }
             }
+        }
+
+        [Fact]
+        public void Zip_Evil_Throws_Exception()
+        {
+            Exception expectedExcetpion = null;
+            string zipFile = Path.Combine(TEST_ARCHIVES_PATH, "Zip.Evil.zip");
+
+            try
+            { 
+                using (var archive = ZipArchive.Open(zipFile))
+                {
+                    foreach (var entry in archive.Entries.Where(entry => !entry.IsDirectory))
+                    {
+                        entry.WriteToDirectory(SCRATCH_FILES_PATH, new ExtractionOptions()
+                        {
+                            ExtractFullPath = true,
+                            Overwrite = true
+                        });
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                expectedExcetpion = ex;
+            }
 
+            Assert.NotEqual(expectedExcetpion, null);
         }
 
         class NonSeekableMemoryStream : MemoryStream

diff --git a/tests/TestArchives/Archives/Zip.Evil.zip b/tests/TestArchives/Archives/Zip.Evil.zip