Zip Slip
ID |
go.zip_slip |
Severity |
high |
Resource |
Path Resolution |
Language |
Go |
Tags |
CWE:22, CWE:73, NIST.SP.800-53, OWASP:2021:A1, PCI-DSS:6.5.8 |
Description
Zip Slip is a vulnerability that occurs when files in a zip archive are extracted without proper validation, allowing directory traversal and potentially overwriting critical files.
Rationale
The Zip Slip vulnerability arises from extracting files from an archive without validating their paths. Attackers can craft zip files with file paths that traverse directories, enabling them to write files outside the intended directory, potentially overwriting system files or injecting malicious code.
Here’s an example illustrating a vulnerable Golang code:
package zip_slip
import (
"archive/zip"
"os"
"path/filepath"
)
func unzipBad(f string) {
r, err := zip.OpenReader(f)
if err != nil {
// Handle error
return
}
defer r.Close()
for _, f := range r.File {
p, err := filepath.Abs(f.Name)
if err != nil {
// Handle error
continue
}
err = os.WriteFile(p, []byte("present"), 0666) // FLAW
if err != nil {
// Handle error
continue
}
}
}In this example, files are extracted without verifying their paths, making it possible for an attacker to exploit directory traversal.
Remediation
To remediate the Zip Slip vulnerability, validate the file paths during extraction to ensure they remain within the target directory.
The remediation examples would look like this:
package zip_slip
import (
"archive/zip"
"os"
"path/filepath"
"strings"
)
func unzipGood(f string) {
r, err := zip.OpenReader(f)
if err != nil {
// Handle error
return
}
defer r.Close()
for _, f := range r.File {
p, err := filepath.Abs(f.Name)
if err != nil {
// Handle error
continue
}
if !strings.Contains(f.Name, "..") {
err = os.WriteFile(p, []byte("present"), 0666) // FLAW
if err != nil {
// Handle error
continue
}
}
}
}