Closed BlueSquare1 closed 1 year ago
I updated extractArchiveToDisk and extractFileToDisk to not create symlinks that begin with '..' or '/', which would be outside of the extracted path.
@brendan-duncan you could consider referencing the CVE in your changelog: https://github.com/advisories/GHSA-9v85-q87q-g4vg
Hello,
while doing some security testing on
archive
package, we noticed that it supports symlinks, while symlinks might be an intended functionality of your package, we do believe that symlinks pointing outside the extraction directory are more of a security risk than a feature, below is an example where we created a symlink pointing to a filesecret.txt
in the parent directory, zipped it and extracted it usingextractFileToDisk
method fromarchive
package, the symlink was created back after extraction.Screenshot from my workstation
Screenshot from my test mobile device