Skip to content

fix arbitrary file access during archive extraction ("Zip Slip") #34982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix arbitrary file access during archive extraction ("Zip Slip") #34982

wants to merge 1 commit into from

Conversation

odaysec
Copy link

@odaysec odaysec commented May 17, 2025
edited
Loading

beam/sdks/go/pkg/beam/core/runtime/xlangx/expansionx/download.go

Lines 142 to 164 in 75cf7e1

for _, file := range reader.File {
fileName := filepath.Join(dest, file.Name)
if file.FileInfo().IsDir() {
os.MkdirAll(fileName, 0700)
continue
}
sf, err := file.Open()
if err != nil {
return fmt.Errorf("error opening source file %s: %w", file.Name, err)
}
defer sf.Close()
df, err := os.OpenFile(fileName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0777)
if err != nil {
return fmt.Errorf("error opening destination file %s: %w", fileName, err)
}
defer df.Close()
if _, err := io.Copy(df, sf); err != nil {
return err
}
}

To fix the issue, we need to validate the file paths extracted from the zip archive to ensure they do not contain directory traversal elements (..) and are confined to the intended destination directory. This can be achieved by resolving the absolute path of the constructed fileName and ensuring it is a subpath of the dest directory. If the validation fails, the file should be skipped or an error should be raised.

The fix involves:

  1. Resolving the absolute path of fileName using filepath.Abs.
  2. Ensuring that the resolved path starts with the absolute path of the dest directory.
  3. Skipping or rejecting files that fail this validation.

Extracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.

Zip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (..). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.

For example, if a zip file contains a file entry ..\beam-file, and the zip file is extracted to the directory c:\output, then naively combining the paths would result in an output file path of c:\output\..\beam-file, which would cause the file to be written to c:\beam-file.

In this an archive is extracted without validating file paths. If archive.zip contained relative paths (for instance, if it were created by something like zip archive.zip ../file.txt) then executing this code could write to locations outside the destination directory.

package main

import (
	"archive/zip"
	"io/ioutil"
	"path/filepath"
)

func unzip(f string) {
	r, _ := zip.OpenReader(f)
	for _, f := range r.File {
		p, _ := filepath.Abs(f.Name)
		// BAD: This could overwrite any file on the file system
		ioutil.WriteFile(p, []byte("present"), 0666)
	}
}

To fix this vulnerability, we need to check that the path does not contain any ".." elements in it.

package main

import (
	"archive/zip"
	"io/ioutil"
	"path/filepath"
	"strings"
)

func unzipGood(f string) {
	r, _ := zip.OpenReader(f)
	for _, f := range r.File {
		p, _ := filepath.Abs(f.Name)
		// GOOD: Check that path does not contain ".." before using it
		if !strings.Contains(f.Name, "..") {
			ioutil.WriteFile(p, []byte("present"), 0666)
		}
	}
}

References

Zip Slip Vulnerability
Path Traversal
CWE-22

Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

  • Mention the appropriate issue in your description (for example: addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment fixes #<ISSUE NUMBER> instead.
  • Update CHANGES.md with noteworthy changes.
  • If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

Build python source distribution and wheels
Python tests
Java tests
Go tests

See CI.md for more information about GitHub Actions CI or the workflows README to see a list of phrases to trigger workflows.

@github-actions github-actions bot added the go label May 17, 2025
@github-actions GitHub Actions
Copy link
Contributor

Assigning reviewers:

R: @jrmccluskey for label go.

Note: If you would like to opt out of this review, comment assign to next reviewer.

Available commands:

  • stop reviewer notifications - opt out of the automated review tooling
  • remind me after tests pass - tag the comment author after tests pass
  • waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
go Next Action: Reviewers
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@odaysec