Zip Slip
ID |
csharp.zip_slip |
Severity |
high |
Resource |
Path Resolution |
Language |
CSharp |
Tags |
CWE:22, CWE:73, NIST.SP.800-53, OWASP:2021:A1, PCI-DSS:6.5.8 |
Description
Zip Slip is a vulnerability that occurs when files in a zip archive are extracted without proper validation, allowing directory traversal and potentially overwriting critical files.
Rationale
The Zip Slip vulnerability arises from extracting files from an archive without validating their paths. Attackers can craft zip files with file paths that traverse directories, enabling them to write files outside the intended directory, potentially overwriting system files or injecting malicious code.
Here’s an example illustrating a vulnerable C# code:
using System.IO;
using System.IO.Compression;
class Bad
{
public static void WriteToDirectory(ZipArchiveEntry entry,
string destDirectory)
{
string destFileName = Path.Combine(destDirectory, entry.FullName);
entry.ExtractToFile(destFileName); // FLAW
}
}In this example, files are extracted without verifying their paths, making it possible for an attacker to exploit directory traversal.
Remediation
To remediate the Zip Slip vulnerability, validate the file paths during extraction to ensure they remain within the target directory.
The remediation examples would look like this:
using System.IO;
using System.IO.Compression;
class Good
{
public static void WriteToDirectory(ZipArchiveEntry entry,
string destDirectory)
{
string destFileName = Path.GetFullPath(Path.Combine(destDirectory, entry.FullName));
string fullDestDirPath = Path.GetFullPath(destDirectory + Path.DirectorySeparatorChar);
if (!destFileName.StartsWith(fullDestDirPath)) {
throw new System.InvalidOperationException("Entry is outside the target dir: " +
destFileName);
}
entry.ExtractToFile(destFileName);
}
}