Zip Slip

ID

kotlin.zip_slip

Severity

high

Resource

Path Resolution

Language

Kotlin

Tags

CWE:22, CWE:73, NIST.SP.800-53, OWASP:2021:A1, PCI-DSS:6.5.8

Description

Zip Slip is a vulnerability that occurs when files in a zip archive are extracted without proper validation, allowing directory traversal and potentially overwriting critical files.

Rationale

The Zip Slip vulnerability arises from extracting files from an archive without validating their paths. Attackers can craft zip files with file paths that traverse directories, enabling them to write files outside the intended directory, potentially overwriting system files or injecting malicious code.

Here’s an example illustrating a vulnerable Kotlin code:

import java.io.File
import java.io.FileOutputStream
import java.io.InputStream
import java.util.zip.ZipEntry

fun writeZipEntry(entry: ZipEntry, destinationDir: File) {
    val file = File(destinationDir, entry.name) // FLAW
    FileOutputStream(file).use { fos ->
        // Simulate writing data to the file output stream
        // For example, if entry comes from a real zip file input stream
        // val inputStream: InputStream = ...
        // inputStream.copyTo(fos)
    }
}

In this example, files are extracted without verifying their paths, making it possible for an attacker to exploit directory traversal.

Remediation

To remediate the Zip Slip vulnerability, validate the file paths during extraction to ensure they remain within the target directory.

References

  • CWE-22 : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

  • CWE-73 : External Control of File Name or Path.