search

weichsel / ZIPFoundation

Effortless ZIP Handling in Swift
MIT License
2.31k stars 255 forks source link

BlackDuck Security Finding: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') #284

Closed Jonas1893 closed 1 year ago

Jonas1893 commented 1 year ago

Summary

For Version 0.9.16 we receive the following security finding from BlackDuck:

An issue in ZIPFoundation v0.9.16 allows attackers to execute a path traversal via extracting a crafted zip file.

Common Weakness Enumeration (CWE)
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Is this a known issue?

Jonas1893 commented 1 year ago

Closing because this is a duplicate of #281 and #282.