Path Manipulation: Zip Entry Overwrite

Allowing user input to control paths used in file system operations could enable an attacker to arbitrarily overwrite files on the system.

Path Manipulation: Zip Entry Overwrite errors occur when a Zip file is opened and expanded without checking the file path of the Zip entry.

Example 1: The following example extracts files from a Zip file and insecurely writes them to disk.

    public static void UnzipFile(ZipArchive archive, string destDirectory)
    {
        foreach (var entry in archive.Entries)
        {
            string file = entry.FullName;
            if (!string.IsNullOrEmpty(file))
            {
                string destFileName = Path.Combine(destDirectory, file);
                entry.ExtractToFile(destFileName, true);

            }
        }
    }

In Example 1, there is no validation of entry.FullName prior to performing read/write operations on the data within this entry. If the Zip file was originally placed in the directory "C:\TEMP", a Zip entry name contained "..\ segments", and the application was run under the necessary permissions, it could arbitrarily overwrite system files.

Allowing user input to control paths used in file system operations could enable an attacker to arbitrarily overwrite files on the system.

Path Manipulation: Zip Entry Overwrite errors occur when a Zip file is opened and expanded without checking the file path of the Zip entry.

Example 1: The following example extracts files from a Zip file and insecurely writes them to disk.

func Unzip(src string, dest string) ([]string, error) {
    var filenames []string
    r, err := zip.OpenReader(src)
    if err != nil {
        return filenames, err
    }
    defer r.Close()

    for _, f := range r.File {
        // Store filename/path for returning and using later on
        fpath := filepath.Join(dest, f.Name)

        filenames = append(filenames, fpath)

        if f.FileInfo().IsDir() {
            // Make Folder
            os.MkdirAll(fpath, os.ModePerm)
            continue
        }
        
        // Make File
        if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil {
            return filenames, err
        }

        outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
        if err != nil {
            return filenames, err
        }
    
        rc, err := f.Open()
        if err != nil {
            return filenames, err
        }

        _, err = io.Copy(outFile, rc)

        // Close the file without defer to close before next iteration of loop
        outFile.Close()
        rc.Close()

        if err != nil {
            return filenames, err
        }
    }
    return filenames, nil
}

In Example 1, there is no validation of f.Name prior to performing read/write functions on the data within this entry. If the Zip file was originally placed in the directory "/tmp/" of a Unix-based machine, a Zip entry was "../etc/hosts", and the application was run under the necessary permissions, it would overwrite the system hosts file. This in turn would allow traffic from the machine to go anywhere the attacker wants, such as back to the attacker's machine.

Allowing user input to control paths used in file system operations could enable an attacker to arbitrarily overwrite files on the system.

Path Manipulation: Zip Entry Overwrite errors occur when a Zip file is opened and expanded without checking the file path of the Zip entry.

Example 1: The following example extracts files from a Zip file and insecurely writes them to disk.

var unzipper = require('unzipper');
var fs = require('fs');

var untrusted_zip = getZipFromRequest();
fs.createReadStream(zipPath).pipe(unzipper.Extract({ path: 'out' }));

Allowing user input to control paths used in file system operations could enable an attacker to arbitrarily overwrite files on the system.

Path Manipulation: Zip Entry Overwrite errors occur when a Zip file is opened and expanded without checking the file path of the Zip entry.

Example 1: The following example extracts files from a Zip file and insecurely writes them to disk.

    ZZArchive* archive = [ZZArchive archiveWithURL:[NSURL fileURLWithPath: zipPath] error:&error];
    for (ZZArchiveEntry* entry in archive.entries) {
        NSString *fullPath = [NSString stringWithFormat: @"%@/%@", destPath, [entry fileName]];
        [[entry newDataWithError:nil] writeToFile:newFullPath atomically:YES];
    }

In Example 1, there is no validation of entry.fileName prior to performing read/write functions on the data within this entry. If the Zip file was originally placed in the directory "Documents/hot_patches" of an iOS application, a Zip entry was "../js/page.js", it would overwrite the page.js file. This in turn would enable an attacker to inject malicious code that might result in code execution.

Allowing user input to control paths in file system operations might enable an attacker to arbitrarily overwrite files on the system.

Path Manipulation: Zip Entry Overwrite errors occur when a Zip file is opened and the files extracted without checking the file path of the Zip entry.

Example 1: The following example extracts files from a Zip file and insecurely writes them to disk.

...
$zip = new ZipArchive();
$zip->open("userdefined.zip", ZipArchive::RDONLY);
$zpm = $zip->getNameIndex(0);
$zip->extractTo($zpm);
...

In Example 1, there is no validation of f.Name before performing read/write functions on the data within this entry. If the Zip file is in the directory "/tmp/" of a Unix-based machine, a Zip entry is "../etc/hosts", and the application is run under the necessary permissions, it will overwrite the system hosts file. This allows traffic from the machine to go anywhere the attacker wants, such as back to the attacker's machine.

Allowing user input to control paths used in file system operations could enable an attacker to arbitrarily overwrite files on the system.

Path Manipulation: Zip Entry Overwrite errors occur when a Zip file is opened and expanded without checking the file path of the Zip entry.

Example 1: The following example extracts files from a Zip file and insecurely writes them to disk.

import zipfile
import tarfile

def unzip(archive_name):
    zf = zipfile.ZipFile(archive_name)
    zf.extractall(".")
    zf.close()

def untar(archive_name):
    tf = tarfile.TarFile(archive_name)
    tf.extractall(".")
    tf.close()

Allowing user input to control paths used in file system operations could enable an attacker to arbitrarily overwrite files on the system.

Path Manipulation: Zip Entry Overwrite errors occur when a Zip file is opened and expanded without checking the file path of the Zip entry.

Example 1: The following example extracts files from a Zip file and insecurely writes them to disk.

import better.files._

...

val zipPath: File = getUntrustedZip()
val destinationPath = file"out/dest"
zipPath.unzipTo(destination = destinationPath)

Example 2: The following example extracts files from a Zip file and insecurely writes them to disk.

import better.files._

...

val zipPath: File = getUntrustedZip()
val destinationPath = file"out/dest"
zipPath.newZipInputStream.mapEntries( (entry : ZipEntry) => {
    entry.extractTo(destinationPath, new FileInputStream(entry.getName))
})

In Example 2, there is no validation of entry.getName prior to performing read/write functions on the data within this entry. If the Zip file was originally placed in the directory "/tmp/" of a Unix-based machine, a Zip entry was "../etc/hosts", and the application was run under the necessary permissions, it would overwrite the system hosts file. This in turn would allow traffic from the machine to go anywhere the attacker wants, such as back to the attacker's machine.

Allowing user input to control paths used in file system operations could enable an attacker to arbitrarily overwrite files on the system.

Path Manipulation: Zip Entry Overwrite errors occur when a Zip file is opened and expanded without checking the file path of the Zip entry.

Example 1: The following example extracts files from a Zip file and insecurely writes them to disk.

let archive = try ZZArchive.init(url: URL(fileURLWithPath: zipPath))

for entry in archive.entries {
    let fullPath = URL(fileURLWithPath: destPath + "/" + entry.fileName)
    try entry.newData().write(to: fullPath)
}

In Example 1, there is no validation of entry.fileName prior to performing read/write functions on the data within this entry. If the Zip file was originally placed in the directory "Documents/hot_patches" of an iOS application, a Zip entry was "../js/page.js", it would overwrite the page.js file. This in turn would enable an attacker to inject malicious code that might result in code execution.