Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
fix: fail when trying to extract outside of dest dir #87
This PR is meant to fix an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive, that holds path traversal filenames. When the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder.
A sample malicious zip file named zip-slip.zip (see this gist) was used, and when running the code below, resulted in the creation of /tmp/evil.txt outside of the intended /tmp/safe target.
There are various possible ways to avoid this issue, some include checking for .. (dot dot) characters in the filename, but the best solution in our opinion is to check if the final target filename, starts with the target folder (after both are resolved to their absolute path).
I think the purpose of the fix is to not allow files from the archive to be written outside the destination directory. Otherwise a maliciously crafted archive may cause files to be extracted in arbitrary (potentially dangerous) location. @jpederzolli I'm not sure I understand what you mean. Is there a use case where you want to unpack files outside the destination directory? Could you please give an example? Or even better - open an issue so we can better track it.