Closed Zlase0820 closed 1 year ago
You wrote you ran it against the latest version, but are you sure?
Jodd actually already addressed this issue back in 2018 with version 5.0.5 - https://github.com/oblac/jodd/releases/tag/v5.0.5 - and throws an exception in that case
I briefly thought it might have something to do with the execution context and the current working directory, but that does not seem to be the case either.
As you provide a value for destDir
, rootDir
is also set and isAncestor
verifies if the new file is within that directory.
@Zlase0820 can you please confirm you have an issue? As @neroux said, this was fixed long time ago. Moreover, I don't see neo4j-io version 6 on maven, only 5.
Description
In the method "unzip" (line 216) of the file https://github.com/oblac/jodd-util/blob/master/src/main/java/jodd/io/ZipUtil.java#L216, it is possible to input malicious zip files, which can result in the high-risk files after decompression being stored in any location, even leading to file overwrite and other situations.
Version Affected
org.neo4j:neo4j-io:6.2.1(newest)
Proof of Concept
I use a maven project import the jodd-util in pom.xml.
Use the following zip() method to create a zip file from a txt file, and the name of the compressed file will be renamed to "..\..\a\b\c\poc.txt". (You should create this path firstly)
Then call the ZipUtil.unzip() method, originally intended to unzip the file to "D:\zeroVulnCode\SilentVulnJava\testData\unzip", but it will eventually be extracted to its another directory "D:\zeroVulnCode\SilentVulnJava\a\b\c\poc.txt\".
This may cause the original file to be overwritten by a high-risk file.
I think we can add a simple verification check on the path to avoid this issue. We can refer to other verification methods for unzip under Apache, such as:
https://github.com/apache/druid/blob/master/processing/src/main/java/org/apache/druid/utils/CompressionUtils.java#L242
He has the same error,and fixed in CVE-2023-27603.