Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix zip slip vulnerability, other zip issues and tests #93

Open
wants to merge 6 commits into
base: trunk
Choose a base branch
from

Conversation

reimic
Copy link
Collaborator

@reimic reimic commented Mar 26, 2024

🚧 Work in progress 🚧

What does this PR do?

  • zip_extract_to method will now throw an exception if it encounters files with a relative path Zip Slip Vulnerability #73 ( I recommend throwing an exception instead of skipping dangerous files in zips. I was swayed by the argument that letting only some files through breaks user-data integrity.)

What problem does it fix?

How to test if it works?

  • this PR explicitly tests that the zip slip / zip symlink vulnerability was fixed

@brandonpayton
Copy link
Member

Hi @reimic, thank you for this PR. As I was reading, I found it a bit difficult to review due to multiple purposes in the changes:

What problem does it fix?

  • there was a vulnerability in the zip_extract_to method
  • zip functions caused an error when the code was run with PHP == 7.0
  • tests were slightly off and had to be updated

Would you be willing to break this into multiple single-purpose PRs so we can focus more clearly on each issue?

@reimic
Copy link
Collaborator Author

reimic commented Mar 27, 2024

Sure, @brandonpayton - let's start here: #94

@reimic
Copy link
Collaborator Author

reimic commented Mar 27, 2024

Annnd, @brandonpayton - then progress to here: #95


$filesystem->remove( dirname( $filename ) );
$slipped_file = Path::canonicalize(__DIR__ . "../../../../../../../../tmp/zip-slip-test.txt");
self::assertFileDoesNotExist( $slipped_file );
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This checks for a single, very specific path. Why not test for a single, simple case like ../tmp-zip-slip-test.txt? And then confirm where the file was actually created – if anywhere?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also let's test for a path starting with /

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also let's test for zipped symlinks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants