Pixeebot / Introduced protections against "zip slip" attacks #2020
Conversation
* Introduced protections against "zip slip" attacks * update gradle files, include pixee-java-security --------- Co-authored-by: pixeebot[bot] <[email protected]> Co-authored-by: Zach <[email protected]>
|
@zcarroll4 Thanks for the PR. But are you sure Jadx is still vulnerable to such attacks? Because we already have a ZIP entry path traversal check in place. Our implementation is just not integrated into ZipInputStream https://github.com/skylot/jadx/blob/master/jadx-core/src/main/java/jadx/api/plugins/utils/ZipSecurity.java |
|
@zcarroll4 as @jpstotz mention jadx already use similar zip security utils (with additional checks to prevent zip bomb attacks #980). Changes in this PR done in code which used only in jadx dev tools and not used in normal jadx operation. Anyway, to unify work with zip files, I will fix this case to use jadx utils in later commit. |
|
Update: |
Description
This change updates all new instances of ZipInputStream to protect against malicious entries that attempt to escape their "file root" and overwrite other files on the running filesystem.
Normally, when you're using
ZipInputStreamit's because you're processing zip files. That code might look like this:This looks fine when it encounters a normal zip entry within a zip file, looking something like this pseudo-data:
However, there's nothing to prevent an attacker from sending an evil entry in the zip that looks more like this:
Yes, in the above code, which looks like every piece of zip-processing code you can find on the Internet, attackers could overwrite any files to which the application has access. This rule replaces the standard
ZipInputStreamwith a hardened subclass which prevents access to entry paths that attempt to traverse directories above the current directory (which no normal zip file should ever do.) Our changes end up looking something like this:Powered by: pixeebot (codemod ID: pixee:java/harden-zip-entry-paths)