Zip Slip

ID

javascript.zip_slip

Severity

high

Resource

Path Resolution

Language

JavaScript

Tags

CWE:22, CWE:73, NIST.SP.800-53, OWASP:2021:A1, PCI-DSS:6.5.8

Description

Zip Slip is a vulnerability that occurs when files in a zip archive are extracted without proper validation, allowing directory traversal and potentially overwriting critical files.

Rationale

The Zip Slip vulnerability arises from extracting files from an archive without validating their paths. Attackers can craft zip files with file paths that traverse directories, enabling them to write files outside the intended directory, potentially overwriting system files or injecting malicious code.

Here’s an example illustrating a vulnerable JavaScript code:

const fs = require('fs');
const unzip = require('unzip');

fs.createReadStream('my_archive.zip')
    .pipe(unzip.Parse())
    .on('entry', entry => {
        const fileName = entry.path;
        entry.pipe(fs.createWriteStream(fileName)); // FLAW
    });

In this example, files are extracted without verifying their paths, making it possible for an attacker to exploit directory traversal.

Remediation

To remediate the Zip Slip vulnerability, validate the file paths during extraction to ensure they remain within the target directory.

References

  • CWE-22 : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

  • CWE-73 : External Control of File Name or Path.