prototool icon indicating copy to clipboard operation
prototool copied to clipboard
verified publisher icon uber

Potential Zip Slip vulnerability on downloader.go

Open nicowaisman opened this issue 6 years ago • 2 comments

Hey protool team, We found a potentially vulnerable function to the Zip Slip vulnerability. The idea of the vulnerability is that by triggering a path transversal on a zip file you are able to write files outside of your folder (https://cwe.mitre.org/data/definitions/29.html) Here is the vulnerable function: https://github.com/uber/prototool/blob/dev/internal/protoc/downloader.go#L245

We are well aware, that downloads files passed to unzip only occur from a specific URL provided by protool, so the risk is really low, but we thought we should let you know about the potential risk.

Regards Semmle Security Team Discovered by Max Schaefer

nicowaisman avatar Sep 10 '19 14:09 nicowaisman

Appreciate the heads up. Agreed the risk is low, but we can address it nonetheless. Any feedback you have on how others have mitigated the risk in Go would be helpful.

smaye81 avatar Sep 11 '19 02:09 smaye81

Here is how other people have fix this problem:

https://github.com/mholt/archiver/pull/169/commits/d818164a438603f1ba3fa952c7d99321f924301c https://github.com/openshift/source-to-image/commit/f5cbcbc5cc6f8cc2f479a7302443bea407a700cb

Or you could check this article: https://golangcode.com/unzip-files-in-go/ Relevant snippet:

        if !strings.HasPrefix(path, filepath.Clean(dest)+string(os.PathSeparator)) {
            return fmt.Errorf("%s: illegal file path", path)
        }```

nicowaisman avatar Sep 11 '19 10:09 nicowaisman