Skip to content

fix: arbitrary file access during archive extraction (zip slip) #13766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: arbitrary file access during archive extraction (zip slip) #13766

wants to merge 2 commits into from
+6 −0

Conversation

odaysec
Copy link

@odaysec odaysec commented Feb 28, 2025
edited
Loading

Ticket 🎟️ #13765

To fix the problem, we need to ensure that the output paths constructed from tar archive entries are validated to prevent writing files to unexpected locations. This can be done by verifying that the normalized full path of the output file starts with a prefix that matches the destination directory. We will use java.nio.file.Path.normalize() and java.nio.file.Path.startsWith() for this purpose.

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

@odaysec odaysec requested a review from a team as a code owner February 28, 2025 05:00
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 28, 2025
edited
Loading

CLA Signature Action:

Thank you for your submission, we really appreciate it. We ask that you all read and sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just by adding a comment to this pull request with this exact sentence:

I have read the CLA Document and I hereby sign the CLA

By commenting with the above message you are agreeing to the terms of the CLA. Your account will be recorded as agreeing to our CLA so you don't need to sign it again for future contributions to this repository.

1 out of 2 committers have signed the CLA.
@sethkfman
@odaysec

@metamaskbot metamaskbot added external-contributor INVALID-PR-TEMPLATE PR's body doesn't match template labels Feb 28, 2025
@odaysec
Copy link
Author

odaysec commented Feb 28, 2025

/cla missing endpoint of CLA Sign on Contributor License Agreement can't open (blank-page)

@smilingkylan smilingkylan added the Run Smoke E2E Triggers smoke e2e on Bitrise label Mar 12, 2025
smilingkylan
smilingkylan approved these changes Mar 12, 2025
View reviewed changes
Copy link
Contributor

@smilingkylan smilingkylan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@smilingkylan smilingkylan added Run Smoke E2E Triggers smoke e2e on Bitrise team-mobile-platform Mobile Platform team and removed Run Smoke E2E Triggers smoke e2e on Bitrise labels Mar 12, 2025
@smilingkylan
Copy link
Contributor

@odaysec Could you try agreeing to the CLA once more. Let me know if it still isn't working.

@smilingkylan smilingkylan linked an issue Mar 12, 2025 that may be closed by this pull request
[Bug]: 🐛 Arbitrary file access during archive extraction ("Zip Slip") #13765
Open
@odaysec
Copy link
Author

odaysec commented Mar 12, 2025

Hi @smilingkylan I still can't sign the button of CLA is missing https://metamask.io/cla Contributor License Agreement

Browser:

  • Mozilla Firefox
  • Chrome

@sethkfman sethkfman added the skip-sonar-cloud Only used for bypassing sonar cloud when failures are not relevant to the changes. label Mar 13, 2025
@sethkfman
Copy link
Contributor

Added the skip-sonar-cloud for an external contributor and that code is not analyzed.

@sethkfman
Copy link
Contributor

CLA Signature Action:

Thank you for your submission, we really appreciate it. We ask that you all read and sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just by adding a comment to this pull request with this exact sentence:

I have read the CLA Document and I hereby sign the CLA

By commenting with the above message you are agreeing to the terms of the CLA. Your account will be recorded as agreeing to our CLA so you don't need to sign it again for future contributions to this repository.

1 out of 2 committers have signed the CLA. ✅ @sethkfman@odaysec

@odaysec Please follow the instructions and post the specific comment in the reply above. Thanks

@odaysec
Copy link
Author

odaysec commented Mar 14, 2025

Hi @sethkfman

Thank you for your respond, the page for signed CLA was broken i created gif for the sample of POC
08-46-24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smilingkylan smilingkylan smilingkylan approved these changes

Assignees
No one assigned
Labels
external-contributor INVALID-PR-TEMPLATE PR's body doesn't match template Run Smoke E2E Triggers smoke e2e on Bitrise skip-sonar-cloud Only used for bypassing sonar cloud when failures are not relevant to the changes. team-mobile-platform Mobile Platform team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: 🐛 Arbitrary file access during archive extraction ("Zip Slip")
4 participants
@odaysec @smilingkylan @sethkfman @metamaskbot