Objective-Zip icon indicating copy to clipboard operation
Objective-Zip copied to clipboard

Published 20 hours ago verified publisher icon gianlucabertani

Zip Path Traversal vulnerability

Open pwntester opened this issue 6 years ago • 1 comments

The unzip APIs are vulnerable to a Zip entry path manipulation (see: https://snyk.io/research/zip-slip-vulnerability) . The library fails to check that the extracted file is going to be created under the destination folder.

A possible fix involves sanitizing the entry name returned by OZFileInZipInfo.name so that it does not contains ..

Also documentation should recommend normalizing the path before writing to disk:

OZZipFile *unzipFile= [[OZZipFile alloc] initWithFileName:@"test.zip"
    mode:OZZipFileModeUnzip];

[unzipFile goToFirstFileInZip];
OZFileInZipInfo *info= [unzipFile getCurrentFileInZipInfo];

OZZipReadStream *read= [unzipFile readCurrentFileInZip];
NSMutableData *data= [[NSMutableData alloc] initWithLength:info.length];
[read readDataWithBuffer:data];

// Do something with data

[read finishedReading];

So adding something like:

NSString *fullName = [NSString stringWithFormat:@"%@/%@", destPath, entry.name];
    
NSString* normalizedName = [fullName stringByStandardizingPath];
if ([normalizedName hasPrefix:destPath]) {
       // extract
} else {
       // fail
}

Cheers,

A

pwntester avatar Sep 04 '18 12:09 pwntester

Thanks for reporting. Will take a look into this.

gianlucabertani avatar Sep 04 '18 12:09 gianlucabertani