search

brendan-duncan / archive

Dart library to encode and decode various archive and compression formats, such as Zip, Tar, GZip, ZLib, and BZip2.
MIT License
399 stars 139 forks source link

Archive is vulnerable to symlink path traversal #265

Closed BlueSquare1 closed 1 year ago

BlueSquare1 commented 1 year ago

Hello,

while doing some security testing on archive package, we noticed that it supports symlinks, while symlinks might be an intended functionality of your package, we do believe that symlinks pointing outside the extraction directory are more of a security risk than a feature, below is an example where we created a symlink pointing to a file secret.txt in the parent directory, zipped it and extracted it using extractFileToDisk method from archive package, the symlink was created back after extraction.

Screenshot from my workstation Screenshot from my workstation

Screenshot from my mobile device Screenshot from my test mobile device

brendan-duncan commented 1 year ago

I updated extractArchiveToDisk and extractFileToDisk to not create symlinks that begin with '..' or '/', which would be outside of the extracted path.

jonasfj commented 1 year ago

@brendan-duncan you could consider referencing the CVE in your changelog: https://github.com/advisories/GHSA-9v85-q87q-g4vg