Fix zip slip vulnerability #47

dansimau · 2019-09-10T15:05:31Z

This fixes an issue where files within a zip file can break out of the target directory when being extracted.

Fixes #46.

shivamdixit

LGTM! Left a couple of small comments.

astro/tvm/utils.go

jcorbin · 2019-09-17T22:58:53Z

Fwiw, I have a need to implement similar zip extraction, here's the code I ended up with: https://gist.github.com/jcorbin/fd0716bd0bc4c49cd22d73e4aad23b38

extracts in GOMAXPROCS-parallel
slightly better reliability / error flow in the file extraction path
slightly better file permission restoration
more efficient for large archives, since it uses io.CopyBuffer internally with a re-used buffer, rather than io.Copy dynamically allocated a 32KB buffer for every extracted file (causing GC pressure scaling with size of archive)
oh and it supports context cancellation, in case that matters (e.g. timing out a large archive extraction, or otherwise)...
...around this code, I'm running the extraction into a sibling temporary directory, and then either os.Rename-ing into place when done, or os.RemoveAll-ing it in case of (e.g. cancellation) error (similar to github.com/google/reanmio.PendingFile, but for directories

Fix zip slip vulnerability

6bfaf0a

dansimau requested a review from shivamdixit September 10, 2019 15:05

dansimau self-assigned this Sep 10, 2019

shivamdixit approved these changes Sep 11, 2019

View reviewed changes

astro/tvm/utils.go Show resolved Hide resolved

dansimau merged commit 2aec9b3 into master Oct 2, 2019

Provide feedback