Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitize zip entry paths before extracting #121

Merged
merged 2 commits into from May 7, 2018

Conversation

shana
Copy link
Collaborator

@shana shana commented May 2, 2018

Zip entries can contain relative paths that end up outside the extraction directory if used as-is, for instance ..\..\..\..\file.txt, which can be a potential security risk. This sanitizes all paths before extraction while ensuring that valid relative paths are not lost.

  • a\..\c\file.txt -> c\file.txt
  • a\..\..\c\file.txt -> c\file.txt
  • ..\..\..\..\c\file.txt -> c\file.txt
  • a\b\..\c\file.txt -> a\c\file.txt
  • a\b\c\..\e\..\..\f\file.txt -> a\f\file.txt

Many thanks to Snyk Security Research Team for tracking down this issue.

shana added 2 commits May 1, 2018 14:52
Zip entries can contain relative paths that end up outside the extraction
directory if used as-is, for instance "..\..\..\..\file.txt", which can be
a potential security risk. This sanitizes all paths before extraction while
ensuring that valid relative paths are not lost.

- "a\..\c\file.txt" -> "c\file.txt"
- "a\..\..\c\file.txt" -> "c\file.txt"
- "..\..\..\..\c\file.txt" -> "c\file.txt"
- "a\b\..\c\file.txt" -> "a\c\file.txt"
- "a\b\c\..\e\..\..\f\file.txt" -> "a\f\file.txt"
@shana shana merged commit 55d2c13 into haf:master May 7, 2018
@shana shana deleted the bugs/relative-paths branch May 7, 2018 19:30
@haf haf mentioned this pull request Nov 13, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant