Security Fix for zip-slip - huntr.dev

[huntr-helper]

@mufeedvh (https://huntr.dev/users/mufeedvh) has fixed a potential zip-slip vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/other/rc-zip/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-other-rc-zip

⚙️ Description *

The Rust package rc-zip is vulnerable to Zip Slip attacks, this is a fix implemented in the sample jean project the vulnerability was reported in.

Note that, rc-zip seem to be aware of this vulnerability/attack already as seen in the documentation.

They implemented this intentionally as this crate is focused on parsing and handling zip files as it is, mitigation for this vulnerability can be handled separately and this is an example.

rc-zip/src/format/archive.rs[L176-L182]

...
    /// Returns the entry's name
    ///
    /// This should be a relative path, separated by `/`. However, there are zip files in the wild
    /// with all sorts of evil variants, so, be conservative in what you accept.
    pub fn name(&self) -> &str {
        self.entry.name.as_ref()
    }
...

And

rc-zip/src/format/archive.rs[L27-L31]

...
    /// Attempts to look up an entry by name. This is usually a bad idea,
    /// as names aren't necessarily normalized in zip archives.
    pub fn by_name<N: AsRef<str>>(&self, name: N) -> Option<&StoredEntry> {
        self.entries.iter().find(|&x| x.name() == name.as_ref())
    }
...

💻 Technical Description *

Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.

More on Snyk's White Paper.

🐛 Proof of Concept (PoC) *

Payload File: zip-slip.zip

git clone https://github.com/rust-compress/rc-zip
cargo build
./target/debug/jean unzip zip-slip.zip

🔥 Proof of Fix (PoF) *

👍 User Acceptance Testing (UAT)

$ cargo test

Finished test [unoptimized + debuginfo] target(s) in 53.14s
Running target/debug/deps/jean-cbcbaa51a5343313

running 0 tests

test result: ok. 0 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out

     Running target/debug/deps/rc_zip-cb580c2d24e9e613

running 4 tests
test tests::test_fsm ... ok
test tests::test_async_ara ... ok
test tests::detect_encodings ... ok
test tests::test_reader ... ok

test result: ok. 4 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out

   Doc-tests rc-zip

running 0 tests

test result: ok. 0 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out

🔗 Relates to...

418sec/huntr#1760

[b1nslashsh]

hey @fasterthanlime,
any update on it ? 😄

Best regards,
muhaimin

[fasterthanlime]

All merged! Thanks for the ping (and the fix), my inbox is a disaster so I just lost track of it.

[JamieSlome]

@fasterthanlime, if you want more security fixes and patches like this in the future, you can let security researchers know that they can win bounties protecting your repository by copying this small code snippet into your README.md:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

👇 👇 👇