Remediate zipslip

[rminnich]

paths in the archives containing .. could creep out of directory
they were being unpacked into.

The fix is simple: given a base path and file path, instead of
filepath.Join(base, file)
do
filepath.Join(base, filepath.Join("/", file))

Joining to / has the property of swallowing up and .. that may appear.

Signed-off-by: Ronald G Minnich rminnich@gmail.com

[rminnich]

I did file an issue with golang.org and everyone said "it's not a problem" so ... we fix it here.

[orangecms]

So in other words, this fixes a path traversal flaw?

Could we add some fixtures to test that? Like https://github.com/jwilk/traversal-archives

[ggkitsas]

So in other words, this fixes a path traversal flaw?

Could we add some fixtures to test that? Like https://github.com/jwilk/traversal-archives

Just a note, this repo will work great for zip and tar, but not for cpio for your case. I needed to create a newc cpio archive:

mkdir -m 755 tmp
umask 022 && echo moo > moo
cd tmp && echo ../moo | cpio -R root:root -H newc  -o > ../moo.cpio
rm -rf tmp moo

[ggkitsas]

So in other words, this fixes a path traversal flaw?
Could we add some fixtures to test that? Like https://github.com/jwilk/traversal-archives

Just a note, this repo will work great for zip and tar, but not for cpio for your case. I needed to create a newc cpio archive:

mkdir -m 755 tmp
umask 022 && echo moo > moo
cd tmp && echo ../moo | cpio -R root:root -H newc  -o > ../moo.cpio
rm -rf tmp moo

Second note :)
For cpio specifically, you would want to additionally test against symlink-based path traversals (again in newc format)

[rminnich]

ETIMEDOUT

[mpictor]

One way to test this would be to use go-fuzz (or other fuzzer) to create arbitrary cpio inputs, feed em through the extract logic and check for escaping paths.

[insomniacslk]

@rminnich should this be just matter of using upath.SafeFilepathJoin in uzip ?

[rjoleary]

Let's revive this. We're getting security alerts.

[rjoleary]

Fixed in #2344