This is an intentionally vulnerable application. It was purposely designed to demonstrate the capabilities of Snyk's Reachable Vulnerabilities feature and includes both a "Reachable" vulnerability (with a direct data flow to the vulnerable function) and a "Potentially Reachable" vulnerability (where only partial data exists for determining reachability).
An exploit is using a vulnerability called ZipSlip - a critical vulnerability discovered
by Snyk, which typically results in remote command execution. As part of the exploit, a special zip archive is
crafted (attached as malicious_file.zip). When this file is extracted by a vulnerable function, it will create a file
called good.txt in the folder unzipped, but it will also create a file called evil.txt in the /tmp/ folder.
This example is not dangerous, of course, but demonstrates the risk the vulnerability poses - imagine overwriting .ssh/authorized_keys or another sensitive file.
This vulnerability is not exploited. It demonstrates potentially vulnerable code, for which data about vulnerable functions is not available.
git checkout git@github.com:snyk/java-reachability-playground.git)mvn install)mvn compile)mvn exec:java -Dexec.mainClass=Unzipper); the application should throw an exception saying Malicious file /tmp/evil.txt was created.snyk test --reachable or snyk monitor --reachable); you should see the vulnerability SNYK-JAVA-ORGND4J-72550 marked as reachable
and the function call path to the vulnerability./gradlew buildsnyk test --file=build.gradle --reachable or monitor: snyk monitor --file=build.gradle --reachableNote: Once the java application is run, malicious_file.zip will be deleted by it. To run it again, run git checkout . prior
to next java run.