Skip to content

test: add CVE-2025-29787 regression test (ZIP symlink zip-slip)#138

Merged
bug-ops merged 1 commit intomainfrom
133-zip-symlink-cve-regression
Mar 25, 2026
Merged

test: add CVE-2025-29787 regression test (ZIP symlink zip-slip)#138
bug-ops merged 1 commit intomainfrom
133-zip-symlink-cve-regression

Conversation

@bug-ops
Copy link
Copy Markdown
Owner

@bug-ops bug-ops commented Mar 25, 2026

Summary

  • Adds regression test for CVE-2025-29787 (ZIP symlink zip-slip, GHSA-94vh-gphv-8pm8)
  • exarch is not vulnerable: SafeSymlink::validate rejects escaping symlinks before they are written to disk, so a subsequent entry up/etc/passwd can never escape the extraction root
  • Two tests added to crates/exarch-core/tests/security/cve_regression.rs:
    • test_cve_2025_29787_zip_slip_blocked_with_symlinks_enabled (unix): asserts SymlinkEscape error and verifies no file escaped extraction root
    • test_cve_2025_29787_zip_slip_blocked_with_symlinks_disabled: asserts SecurityViolation at the symlink entry with default config
  • Adds narrative reference file tests/cve/cve_2025_29787.rs following existing workspace CVE pattern

Test plan

  • cargo nextest run passes (615 tests, 3 skipped)
  • cargo clippy --all-targets --all-features --workspace -- -D warnings clean
  • cargo +nightly fmt --all -- --check clean
  • RUSTDOCFLAGS="-D warnings" cargo doc clean
  • cargo deny check clean

Closes #133

@bug-ops
test: add CVE-2025-29787 regression test (ZIP symlink zip-slip)
7f15ca0 
exarch is not vulnerable: SafeSymlink::validate rejects escaping symlinks
(e.g. `up -> ../..`) before they are written to disk, so a subsequent entry
`up/etc/passwd` can never escape the extraction root.

Adds two regression tests in cve_regression.rs:
- zip slip blocked with allow_symlinks=true (unix): asserts SymlinkEscape error
- zip slip blocked with allow_symlinks=false (default): asserts SecurityViolation

Closes #133
@bug-ops bug-ops force-pushed the 133-zip-symlink-cve-regression branch from 8a52f43 to 7f15ca0 Compare March 25, 2026 21:19
@bug-ops bug-ops enabled auto-merge (squash) March 25, 2026 21:19
@github-actions github-actions bot added core Changes to exarch-core docs Documentation tests Test changes labels Mar 25, 2026
@bug-ops bug-ops merged commit dc1a4af into main Mar 25, 2026
20 checks passed
@bug-ops bug-ops deleted the 133-zip-symlink-cve-regression branch March 25, 2026 21:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core Changes to exarch-core docs Documentation tests Test changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: verify ZIP extraction validates resolved canonical path after symlink entries (CVE-2025-29787 pattern)

1 participant

@bug-ops