Skip to content

Fix Zip Slip #950

Closed
th555555 wants to merge 2 commits into
KnowageLabs:masterfrom
th555555:master
Closed

Fix Zip Slip #950
th555555 wants to merge 2 commits into
KnowageLabs:masterfrom
th555555:master

Conversation

@th555555

Copy link
Copy Markdown

Prevents Zip Slip attacks that could allow attackers to overwrite arbitrary files on the filesystem, potentially leading to code execution or system compromise.

th555555 added 2 commits July 31, 2025 00:29
Description: The ziputils method is vulnerable to Zip Slip attacks, allowing malicious ZIP files to extract files outside the intended directory through path traversal sequences like Downloads. This could lead to arbitrary file write vulnerabilities.

Changes:

Add path traversal validation using path.normalize().startsWith(outFolder.toPath().normalize())
Throw IOException when entries attempt to escape the target directory
Add parent directory creation for extracted files
Maintain existing functionality while preventing directory traversal attacks

Security Impact: Prevents Zip Slip attacks that could allow attackers to overwrite arbitrary files on the filesystem, potentially leading to code execution or system compromise.

References:
naver/ngrinder@700eb9f
https://cwe.mitre.org/data/definitions/22.html
Description
Fixes a critical security vulnerability where malicious ZIP files could write files outside the intended extraction directory (Zip Slip attack).

Changes
Added path traversal validation using canonical paths
Prevents extraction of entries that would write outside the target directory
Throws IOException for malicious zip entries attempting directory traversal
Security Impact
Prevents arbitrary file write attacks
Protects against malicious ZIP files containing path traversal sequences like Downloads
Maintains functionality while ensuring extracted files remain within the intended directory

References:
naver/ngrinder@700eb9f
https://cwe.mitre.org/data/definitions/22.html
@github-actions

Copy link
Copy Markdown
Contributor

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.


I have read the CLA Document and I hereby sign the CLA


You can retrigger this bot by commenting recheck in this Pull Request

@th555555

Copy link
Copy Markdown
Author

I have read the CLA Document and I hereby sign the CLA

@github-actions

Copy link
Copy Markdown
Contributor

This PR is stale because it is related to an old version or it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions Bot added the Stale label Aug 30, 2025
@Redjaw Redjaw removed the Stale label Aug 30, 2025
@github-actions

Copy link
Copy Markdown
Contributor

This PR is stale because it is related to an old version or it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions Bot added the Stale label Sep 30, 2025
@github-actions

github-actions Bot commented Oct 5, 2025

Copy link
Copy Markdown
Contributor

This PR was closed because it has been stalled for 5 days with no activity.

@github-actions github-actions Bot closed this Oct 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants