New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential path traversal when using filename from Zip archive #514
Comments
Bonus : Could be implemented in the same enhancements.. |
Can I take this up? :) |
@thiyagu-7 Yes |
I modified one of the existing test classes adding
This raised
Would this then also cover the ZipEntry cases too? 🤔 |
@thiyagu-7 Yes the fact that there is both a PATH_TRAVERSAL_IN and the new ZIP_ENTRY_NAME? are being raised is perfect. Both have a different purpose. |
This issue is up for grab. |
Can I take it? |
How do I detect that the value read in getName reaches the File() (sink) unfiltered? |
@akshaycbor Yes
In this specific case, you can do two things.
|
@h3xstream Maybe a silly question but how do I get a single test to run. Whenever I try to run a single test using |
@akshaycbor Running the test individually also failed on my side. I did not find a solution to run a single test with Maven. I have mostly use Maven to run the complete suite and use my IDE IntelliJ to run the test individually. I will investigated this later. |
@h3xstream I 'm interested to work on this issue. |
Description
The class ZipEntry describe one file inside a Zip archive.
getName()
return the file name from this file. It could contain a malicious string such as "../../../". If the value is used to build a file path, it could lead to a path traversal attack. An attacker would be able to create file or override files with the content of his own.Good References:
Vulnerable code
API to cover :
java.util.zip.ZipEntry.getName()
org.apache.commons.compress.archivers.ar.ArArchiveEntry.getName()
org.apache.commons.compress.archivers.arj.ArjArchiveEntry.getName()
org.apache.commons.compress.archivers.cpio.CpioArchiveEntry.getName()
org.apache.commons.compress.archivers.dump.DumpArchiveEntry.getName()
org.apache.commons.compress.archivers.jar.JarArchiveEntry.getName()
org.apache.commons.compress.archivers.sevenz.SevenZArchiveEntry.getName()
org.apache.commons.compress.archivers.tar.TarArchiveEntry.getName()
org.apache.commons.compress.archivers.zip.ZipArchiveEntry.getName()
org.apache.commons.compress.archivers.ArchiveEntry.getName()
Similar detector
If anybody is interested in the implementation of such rule. It is very similar to the rule to detect
FileItem.getName()
from multipart upload.find-sec-bugs/findsecbugs-plugin/src/main/java/com/h3xstream/findsecbugs/file/FileUploadFilenameDetector.java
Lines 31 to 51 in f86e2f2
The text was updated successfully, but these errors were encountered: