Skip to content

Fix zip slip vulnerability, other zip issues and tests #93

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: trunk
Choose a base branch
from
Open

Fix zip slip vulnerability, other zip issues and tests #93

wants to merge 6 commits into from
+85 −3

Conversation

@reimic
Copy link
Collaborator

@reimic reimic commented Mar 26, 2024
edited
Loading

🚧 Work in progress 🚧

What does this PR do?

  • zip_extract_to method will now throw an exception if it encounters files with a relative path Zip Slip Vulnerability #73 ( I recommend throwing an exception instead of skipping dangerous files in zips. I was swayed by the argument that letting only some files through breaks user-data integrity.)

What problem does it fix?

How to test if it works?

  • this PR explicitly tests that the zip slip / zip symlink vulnerability was fixed

@reimic reimic self-assigned this Mar 26, 2024
@brandonpayton
Copy link
Member

brandonpayton commented Mar 26, 2024

Hi @reimic, thank you for this PR. As I was reading, I found it a bit difficult to review due to multiple purposes in the changes:

What problem does it fix?

  • there was a vulnerability in the zip_extract_to method
  • zip functions caused an error when the code was run with PHP == 7.0
  • tests were slightly off and had to be updated

Would you be willing to break this into multiple single-purpose PRs so we can focus more clearly on each issue?

@reimic
Copy link
Collaborator Author

reimic commented Mar 27, 2024

Sure, @brandonpayton - let's start here: #94

@reimic
Copy link
Collaborator Author

reimic commented Mar 27, 2024

Annnd, @brandonpayton - then progress to here: #95

adamziel
adamziel reviewed Mar 28, 2024
View reviewed changes
tests/unit/zip/ZipFunctionsTest.php Outdated

$filesystem->remove( dirname( $filename ) );
$slipped_file = Path::canonicalize(__DIR__ . "../../../../../../../../tmp/zip-slip-test.txt");
self::assertFileDoesNotExist( $slipped_file );
Copy link
Collaborator

@adamziel adamziel Mar 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This checks for a single, very specific path. Why not test for a single, simple case like ../tmp-zip-slip-test.txt? And then confirm where the file was actually created – if anywhere?

Copy link
Collaborator

@adamziel adamziel Mar 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also let's test for a path starting with /

Copy link
Collaborator

@adamziel adamziel Mar 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also let's test for zipped symlinks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamziel adamziel adamziel left review comments

Assignees

@reimic reimic

Labels

PHP 7 Compatibility Steps tests V1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@reimic @brandonpayton @adamziel