Zip Slip

ID

python.zip_slip

Severity

high

Resource

Path Resolution

Language

Python

Tags

CWE:22, CWE:73, NIST.SP.800-53, OWASP:2021:A1, PCI-DSS:6.5.8

Description

Zip Slip is a vulnerability that occurs when files in a zip archive are extracted without proper validation, allowing directory traversal and potentially overwriting critical files.

Rationale

The Zip Slip vulnerability arises from extracting files from an archive without validating their paths. Attackers can craft zip files with file paths that traverse directories, enabling them to write files outside the intended directory, potentially overwriting system files or injecting malicious code.

Here’s an example illustrating a vulnerable Python code using tarfile:

import sys
import tarfile

with tarfile.open(sys.argv[1]) as tar:
    for entry in tar:
        tar.extract(entry, "/tmp/unpack/") # FLAW

In this example, files are extracted without verifying their paths, making it possible for an attacker to exploit directory traversal.

Remediation

To remediate the Zip Slip vulnerability, validate the file paths during extraction to ensure they remain within the target directory.

The remediation examples would look like this:

import sys
import tarfile
import tempfile

filename = sys.argv[1]

tar = tarfile.open(filename)
tar.extractall(path=tempfile.mkdtemp(), members=members_filter(tar))
tar.close()

def members_filter(tarfile):
    result = []
    for member in tarfile.getmembers():
        # Do some filtering here against the entries. Return the entries to be safely extracted
        pass

    return []

References

  • CWE-22 : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

  • CWE-73 : External Control of File Name or Path.