zeroturnaround / zt-zip

ZeroTurnaround ZIP Library
http://www.zeroturnaround.com/
Apache License 2.0
1.38k stars 253 forks source link

Potential Path traversal vulnerability report #159

Open LQxdu opened 1 week ago

LQxdu commented 1 week ago

Promblem Statement

We recently discovered that the patch for the historical vulnerability CVE-2018-1002201 in zt-zip is incomplete. zt-zip added the following checks to restrict arbitrary malicious file creation and writing:

+ if (name.indexOf("..") != -1 && !destFile.getCanonicalPath().startsWith(outputDir.getCanonicalPath())) {
+      throw new MaliciousZipException(outputDir, name);
+    }

However, an attacker could craft a malicious request to bypass this patch. For security reasons, we are not providing the specific exploit here. As a reference, a similar incomplete fix occurred in Tomcat. CVE-2020-9484 used the same method to address the vulnerability, but CVE-2021-25329 exposed the shortcomings of that fix.

The patch for CVE-2020-9484(https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b#diff-d2801d6b9c9ff6f98a6871accb7e61499ed3899f5234028997387ad65906e5e7):

+        if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
+            log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
+            return null;
+        }

The patch for CVE-2021-25329(https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4)

 -       if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
 +       if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {

Recommended Fix (pr#https://github.com/zeroturnaround/zt-zip/pull/158)

-  if (name.indexOf("..") != -1 && !destFile.getCanonicalPath().startsWith(outputDir.getCanonicalPath())) {
+ if (name.indexOf("..") != -1 && !destFile.getCanonicalFile().toPath().startsWith(outputDir.getCanonicalFile().toPath())) {
+      throw new MaliciousZipException(outputDir, name);
+    }
nemecec commented 1 week ago

Thanks for notifying! Could you provide a PR?