search

brendan-duncan / archive

Dart library to encode and decode various archive and compression formats, such as Zip, Tar, GZip, ZLib, and BZip2.
MIT License
403 stars 140 forks source link

Archive package is vulnerable to zip filename spoofing #266

Closed BlueSquare1 closed 1 year ago

BlueSquare1 commented 1 year ago

Hi,

This is a follow up of the previous issue report, we noticed that when archive tries to parse the filename from the zip header, it only considers the filename from the Local File Header and does not match it against Central Directory Entry filename, this can pose a security risk as the Local File Header can be easily spoofed which leads to inconsistency in filename of the entries before and after extraction, below is a demo where we crafted a zip file with a spoofed Local File Header and tried extracting it using your package.

Screenshot from 2023-06-20 18-17-28 crafted zip file (poc.zip) binary content

Screenshot from 2023-06-20 18-18-34 zip file before extraction (the file inside appears as evil.txt)

Screenshot from 2023-06-20 18-20-18 zip file after extraction (the file now appears as evil.apk)

brendan-duncan commented 1 year ago

I'll look into fixing that up as soon as I get a chance.

brendan-duncan commented 1 year ago

I changed it to use the central directory filename instead of the local entry header name.