Zip Path Traversal vulnerability

[pwntester]

The unzip APIs are vulnerable to a Zip entry path manipulation (see: https://snyk.io/research/zip-slip-vulnerability) . The library fails to check that the extracted file is going to be created under the destination folder.

A possible fix involves checking the normalized path of the final extracted file name and check that it starts with the destination path:

NSString *fullName = [NSString stringWithFormat:@"%@/%@", destPath, entry.name];
    
NSString* normalizedName = [fullName stringByStandardizingPath];
if ([normalizedName hasPrefix:destPath]) {
       // extract
} else {
       // fail
}

Please let me know if you have any doubts.

Cheers, A