Skip to content

[8.3.0] Fix Arbitrary file access during archive extraction (Zip Slip) on DirectoryWriter #26091

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

odaysec
Copy link

@odaysec odaysec commented May 17, 2025

Fix the issue need to validate the file paths constructed from zip entry names to ensure they remain within the intended base directory. This can be achieved by normalizing the constructed file path and verifying that it starts with the normalized base directory path. If the validation fails, an exception should be thrown to prevent unsafe file operations.

The fix involves:

  1. Modifying the getFile method in DirectoryWriter to validate the constructed file path.
  2. Using File.getCanonicalFile() to normalize paths and ensure the constructed path is within the base directory.

References

Zip Slip Vulnerability
Path Traversal
CWE-22

@github-actions github-actions bot added the awaiting-review PR is awaiting review from an assigned reviewer label May 17, 2025
@iancha1992 iancha1992 added the team-Rules-Java Issues for Java rules label May 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
awaiting-review PR is awaiting review from an assigned reviewer team-Rules-Java Issues for Java rules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants