Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixing Zip Slip vulnerability #111

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fixing Zip Slip vulnerability #111

wants to merge 2 commits into from

Conversation

dlebrero
Copy link

@aviadatsnyk aviadatsnyk mentioned this pull request Jun 18, 2018
Merged
aviadatsnyk
aviadatsnyk reviewed Jun 18, 2018
View reviewed changes
src/me/raynes/fs/compression.clj Outdated
(java.io ByteArrayOutputStream File)))

(defn- check-final-path-inside-target-dir! [f target-dir entry]
(when-not (-> f .getCanonicalPath (.startsWith (.getCanonicalPath target-dir)))
Copy link

@aviadatsnyk aviadatsnyk Jun 18, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dlebrero great job fixing this!

can you please add the path separator after (.getCanonicalPath target-dir) and make it
(str (.getCanonicalPath target-dir) (java.io.File/separator)) (or any better implementation)?
This is to make sure that an evil file like /tmp/safe.UNSAFE/evil.sh cannot be written if the target directory is /tmp/safe.
See also the java reference implementation https://snyk.io/research/zip-slip-vulnerability#java.

@dlebrero
Copy link
Author

@aviadatsnyk thanks a lot for the review!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aviadatsnyk aviadatsnyk aviadatsnyk left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dlebrero @aviadatsnyk