ZipSlip.qhelp

<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>

<overview>
<p>Accessing filesystem paths built from the name of an archive entry without validating that the
destination file path is within the destination directory can allow an attacker to access 
unexpected resources, due to the possible presence of directory traversal elements (<code>..</code>) in
archive paths.</p>

<p>Zip archives contain archive entries representing each file in the archive. These entries
include a file path for the entry, but these file paths are not restricted and may contain
unexpected special elements such as the directory traversal element (<code>..</code>). If these
file paths are used to create a filesystem path, then a file operation may happen in an 
unexpected location. This can result in sensitive information being
revealed or deleted, or an attacker being able to influence behavior by modifying unexpected
files.</p>

<p>For example, if a Zip archive contains a file entry <code>..\sneaky-file</code>, and the Zip archive
is extracted to the directory <code>c:\output</code>, then naively combining the paths would result
in an output file path of <code>c:\output\..\sneaky-file</code>, which would cause the file to be
written to <code>c:\sneaky-file</code>.</p>

</overview>
<recommendation>

<p>Ensure that output paths constructed from Zip archive entries are validated
to prevent writing files to unexpected locations.</p>

<p>The recommended way of writing an output file from a Zip archive entry is to call <code>extract()</code> or <code>extractall()</code>.
</p>

</recommendation>

<example>
<p>
In this example an archive is extracted without validating file paths.
</p>

<sample src="zipslip_bad.py" />

<p>To fix this vulnerability, we need to call the function <code>extractall()</code>.
</p>

<sample src="zipslip_good.py" />

</example>
<references>
<li>
Snyk:
<a href="https://snyk.io/research/zip-slip-vulnerability">Zip Slip Vulnerability</a>.
</li>

</references>
</qhelp>