-
Notifications
You must be signed in to change notification settings - Fork 314
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Directory traversal vulnerability #540
Comments
Sorry. |
Is there any particular plan to correct this issue? |
Hi @wonda-tea-coffee and thanks for raising this again. The above code clearly short-circuits around the protections that Rubyzip has for traversal. For example the following code would be safe, simply by changing require 'zip'
Zip::File.open('traversal.zip') do |zip_file|
# Handle entries one by one
zip_file.each do |entry|
# Extract to file/directory/symlink
puts "Extracting #{entry.name}"
entry.extract
end
end A developer would need to specifically write the unsafe version that you supply above, but I agree that it's probably easy to do so without knowing you've done it. I do think it should be possible for a developer to knowingly and deliberately allow extracting to potentially unsafe names, if for their particular situation it is perfectly safe, but:
Do you think that would be acceptable? I will think on how to implement that and get it into version 3 - which is getting closer (honest). |
@hainesr |
OK, having now tried a somewhat naive implementation based solely on that bulleted list above, I see a rather large UX hole. The above prevents one from extracting to, say, I think the solution then is to add a parameter to the
This seems to be how other libraries manage this situation: https://github.com/commonsguy/cwac-security/blob/master/security/src/main/java/com/commonsware/cwac/security/ZipUtils.java#L171-L181 |
This commit adds a parameter to the `File#extract` and `Entry#extract` methods so that a base destination directory can be specified for extracting archives in bulk to somewhere in the filesystem that isn't the current working directory. This directory is `.` by default. It is combined with the entry path - which shouldn't but could have relative directories (e.g. `..`) in it - and tested for safety before extracting. Resolves rubyzip#540.
Hi @wonda-tea-coffee, I have finally raised a PR to implement the above (#554). |
This commit adds a parameter to the `File#extract` and `Entry#extract` methods so that a base destination directory can be specified for extracting archives in bulk to somewhere in the filesystem that isn't the current working directory. This directory is `.` by default. It is combined with the entry path - which shouldn't but could have relative directories (e.g. `..`) in it - and tested for safety before extracting. Resolves #540.
Summary
In version 2.3.2, we are again experiencing the exact same problem as below.
#315
PoC
extract.rb
The text was updated successfully, but these errors were encountered: