search

alibaba / atlas

A powerful Android Dynamic Component Framework.
Apache License 2.0
8.12k stars 1.48k forks source link

[atlas-update] Avoid Zip Slip Vulnerability #392

Open ready-research opened 2 years ago

ready-research commented 2 years ago

atlas is vulnerable to Zip Slip attacks using unzip. Reported in huntr.

ZipUtils.unzip("C:\evil.zip", "D:\test\test\test");      //input evil.zip contains ../../evil.exe which will be extracted in D:\test
CLAassistant commented 2 years ago

CLA assistant check
All committers have signed the CLA.