Land #11716, check for directory traversal on internal zip paths

rapid7 · Apr 16, 2019 · bd5ab45 · bd5ab45
1 parent 3881c61
commit bd5ab45
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/lib/msf/core/db_manager/import/metasploit_framework/zip.rb b/lib/msf/core/db_manager/import/metasploit_framework/zip.rb
@@ -194,8 +194,14 @@ def import_msf_zip(args={}, &block)
     }
 
     data.entries.each do |e|
-      target = ::File.join(@import_filedata[:zip_tmp], e.name)
-      data.extract(e,target)
+      # normalize entry name to an absolute path
+      target = File.expand_path(File.join(@import_filedata[:zip_tmp], e.name), '/').to_s
+
+      # skip if the target would be extracted outside of the zip
+      # tmp dir to mitigate any directory traversal attacks
+      next unless is_child_of?(@import_filedata[:zip_tmp], target)
+
+      e.extract(target)
 
       if target =~ /\.xml\z/
         target_data = ::File.open(target, "rb") {|f| f.read 1024}
@@ -236,4 +242,8 @@ def import_msf_zip(args={}, &block)
       import_msf_collateral(new_args)
     end
   end
+
+  def is_child_of?(target_dir, target)
+    target.downcase.start_with?(target_dir.downcase)
+  end
 end