vuln-fix: Zip Slip Vulnerability

JLLeitschuh · TeamModerne · JLLeitschuh · commit 84589f7efd31 · 2022-07-29T21:45:01.000Z
This fixes a Zip-Slip vulnerability. This change does one of two things. This change either 1. Inserts a guard to protect against Zip Slip. OR 2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`. For number 2, consider `"/usr/outnot".startsWith("/usr/out")`. The check is bypassed although `/outnot` is not under the `/out` directory. It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object. For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`; however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`. Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Severity: High CVSSS: 7.4 Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip) Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Bug-tracker: JLLeitschuh/security-research#16 Co-authored-by: Moderne <team@moderne.io>
diff --git a/src/test/java/org/apache/commons/compress/archivers/JarTestCase.java b/src/test/java/org/apache/commons/compress/archivers/JarTestCase.java
@@ -61,6 +61,9 @@ public void testJarUnarchive() throws Exception {
 
         ZipArchiveEntry entry = (ZipArchiveEntry)in.getNextEntry();
         File o = new File(dir, entry.getName());
+        if (!o.toPath().normalize().startsWith(dir.toPath().normalize())) {
+            throw new RuntimeException("Bad zip entry");
+        }
         o.getParentFile().mkdirs();
         OutputStream out = Files.newOutputStream(o.toPath());
         IOUtils.copy(in, out);
diff --git a/src/test/java/org/apache/commons/compress/archivers/ZipTestCase.java b/src/test/java/org/apache/commons/compress/archivers/ZipTestCase.java
@@ -99,7 +99,10 @@ public void testZipArchiveCreation() throws Exception {
                 fileInputStream)) {
                 ZipArchiveEntry entry = null;
                 while ((entry = (ZipArchiveEntry) archiveInputStream.getNextEntry()) != null) {
-                    final File outfile = new File(resultDir.getCanonicalPath() + "/result/" + entry.getName());
+                    final File outfile = new File(resultDir.getCanonicalPath() + "/result/", entry.getName());
+                    if (!outfile.toPath().normalize().startsWith(resultDir.getCanonicalPath() + "/result/")) {
+                        throw new RuntimeException("Bad zip entry");
+                    }
                     outfile.getParentFile().mkdirs();
                     try (OutputStream o = Files.newOutputStream(outfile.toPath())) {
                         IOUtils.copy(archiveInputStream, o);
@@ -168,7 +171,11 @@ public void testZipUnarchive() throws Exception {
         try (final InputStream is = Files.newInputStream(input.toPath());
                 final ArchiveInputStream in = ArchiveStreamFactory.DEFAULT.createArchiveInputStream("zip", is)) {
             final ZipArchiveEntry entry = (ZipArchiveEntry) in.getNextEntry();
-            try (final OutputStream out = Files.newOutputStream(new File(dir, entry.getName()).toPath())) {
+            final File zipEntryFile = new File(dir, entry.getName());
+            if (!zipEntryFile.toPath().normalize().startsWith(dir.toPath().normalize())) {
+                throw new RuntimeException("Bad zip entry");
+            }
+            try (final OutputStream out = Files.newOutputStream(zipEntryFile.toPath())) {
                 IOUtils.copy(in, out);
             }
         }
@@ -828,7 +835,11 @@ private File getFilesToZip() throws IOException {
                 if (!outputFile.getParentFile().exists()) {
                     outputFile.getParentFile().mkdirs();
                 }
-                outputFile = new File(dir, zipEntry.getName());
+                final File zipEntryFile = new File(dir, zipEntry.getName());
+                if (!zipEntryFile.toPath().normalize().startsWith(dir.toPath().normalize())) {
+                    throw new RuntimeException("Bad zip entry");
+                }
+                outputFile =zipEntryFile;
 
                 try (InputStream inputStream = zipFile.getInputStream(zipEntry);
                     OutputStream outputStream = Files.newOutputStream(outputFile.toPath())) {
diff --git a/src/test/java/org/apache/commons/compress/archivers/zip/Lister.java b/src/test/java/org/apache/commons/compress/archivers/zip/Lister.java
@@ -91,6 +91,9 @@ private static void list(final ZipArchiveEntry entry) {
     private static void extract(final String dir, final ZipArchiveEntry entry,
                                 final InputStream is) throws IOException {
         final File f = new File(dir, entry.getName());
+        if (!f.toPath().normalize().startsWith(dir)) {
+            throw new RuntimeException("Bad zip entry");
+        }
         if (!f.getParentFile().exists()) {
             f.getParentFile().mkdirs();
         }
@@ -142,4 +145,4 @@ private static void usage() {
                            + " [+storeddd] [-extract dir] archive");
         System.exit(1);
     }
-}
+}
diff --git a/src/test/java/org/apache/commons/compress/archivers/zip/ZipFileIgnoringLocalFileHeaderTest.java b/src/test/java/org/apache/commons/compress/archivers/zip/ZipFileIgnoringLocalFileHeaderTest.java
@@ -55,7 +55,11 @@ public void testZipUnarchive() throws Exception {
         try (final ZipFile zf = openZipWithoutLFH("bla.zip")) {
             for (final Enumeration<ZipArchiveEntry> e = zf.getEntries(); e.hasMoreElements(); ) {
                 final ZipArchiveEntry entry = e.nextElement();
-                try (final OutputStream out = Files.newOutputStream(new File(dir, entry.getName()).toPath())) {
+                final File zipEntryFile = new File(dir, entry.getName());
+                if (!zipEntryFile.toPath().normalize().startsWith(dir.toPath().normalize())) {
+                    throw new RuntimeException("Bad zip entry");
+                }
+                try (final OutputStream out = Files.newOutputStream(zipEntryFile.toPath())) {
                     IOUtils.copy(zf.getInputStream(entry), out);
                 }
             }

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,11 @@ public void testZipUnarchive() throws Exception {`
`55`	`55`	`try (final ZipFile zf = openZipWithoutLFH("bla.zip")) {`
`56`	`56`	`for (final Enumeration<ZipArchiveEntry> e = zf.getEntries(); e.hasMoreElements(); ) {`
`57`	`57`	`final ZipArchiveEntry entry = e.nextElement();`
`58`		`- try (final OutputStream out = Files.newOutputStream(new File(dir, entry.getName()).toPath())) {`
	`58`	`+ final File zipEntryFile = new File(dir, entry.getName());`
	`59`	`+ if (!zipEntryFile.toPath().normalize().startsWith(dir.toPath().normalize())) {`
	`60`	`+ throw new RuntimeException("Bad zip entry");`
	`61`	`+ }`
	`62`	`+ try (final OutputStream out = Files.newOutputStream(zipEntryFile.toPath())) {`
`59`	`63`	`IOUtils.copy(zf.getInputStream(entry), out);`
`60`	`64`	`}`
`61`	`65`	`}`