screenpipe icon indicating copy to clipboard operation
screenpipe copied to clipboard
verified publisher icon mediar-ai

fix: arbitrary file access during archive extraction zipslip on index

Open odaysec opened this issue 6 months ago • 1 comments

name: Fix arbitrary file access during archive extraction zipslip on index about: submit changes to the project title: "[pr] " labels: '' assignees: ''

Description

Fix the issue need to validate the header.name field before using it to construct file paths. Specifically, we should ensure that the path does not contain directory traversal elements (..) and is confined to the intended directory (tempDir). This can be achieved by checking if the resolved path starts with the tempDir prefix after normalization.

Steps to fix:

  1. Add a validation step for header.name before constructing filePath.
  2. Use path.resolve to normalize the constructed path and ensure it remains within tempDir.
  3. Skip processing the entry if the validation fails, logging a warning for debugging purposes.

Required changes:

  • Modify the extractTarball function to include path validation logic.
  • Ensure that only safe paths are used for file system operations.

Zip Slip Vulnerability

if relevant add screenshots or screen captures to prove that this PR works to save us time (check Cap).

if you are not the author of this PR and you see it and you think it can take more than 30 mins for maintainers to review, we will tip you between $20 and $200 for you to review and test it for us.

odaysec avatar May 29 '25 11:05 odaysec

🧪 testing bounty created!

a testing bounty has been created for this PR: view testing issue

testers will be awarded $20 each for providing quality test reports. please check the issue for testing requirements.

github-actions[bot] avatar May 29 '25 11:05 github-actions[bot]

/bounty 500 /claim #1809

odaysec avatar Aug 13 '25 19:08 odaysec

💎 $10 bounty • Orange

Steps to solve:

  1. Start working: Comment /attempt #1808 with your implementation plan
  2. Submit work: Create a pull request including /claim #1808 in the PR body to claim the bounty
  3. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

❗ Important guidelines:

  • To claim a bounty, you need to provide a short demo video of your changes in your pull request
  • If anything is unclear, ask for clarification before starting as this will help avoid potential rework
  • Low quality AI PRs will not receive review and will be closed
  • Do not ask to be assigned unless you've contributed before

Thank you for contributing to mediar-ai/screenpipe!

algora-pbc[bot] avatar Aug 13 '25 19:08 algora-pbc[bot]

/claim #1808

odaysec avatar Aug 13 '25 19:08 odaysec

/attempt #1808

orangecurl avatar Aug 13 '25 20:08 orangecurl