fixed path exploit

hayd · Jul 4, 2021 · 14d68e5 · 14d68e5
1 parent fd7453f
commit 14d68e5
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/mod.ts b/mod.ts
@@ -1,6 +1,6 @@
 import  _JSZip from "https://dev.jspm.io/[email protected]";
 import { WalkOptions, walk } from "https://deno.land/[email protected]/fs/walk.ts";
-import { SEP, resolve, dirname } from "https://deno.land/[email protected]/path/mod.ts";
+import { SEP, resolve, dirname, join, common } from "https://deno.land/[email protected]/path/mod.ts";
 import type {
   InputFileFormat,
   JSZipAddFileOptions,
@@ -196,10 +196,16 @@ export class JSZip {
   async unzip(dir: string = "."): Promise<void> {
     // FIXME optionally replace the existing folder prefix with dir.
     const createdDirs = new Set<string>();
+    const absDir = resolve(dir);
 
     for (const fileEntry of this) {
         const filePath = resolve(dir, fileEntry.name);
 
+        const commonRootPath = resolve(join(common([ absDir, filePath ]), "/"));
+        if (commonRootPath !== absDir || commonRootPath === filePath) {
+          throw new Error("Not allowed!");
+        }
+
         const dirPath = fileEntry.dir ? filePath : dirname(filePath);
 
         if (!createdDirs.has(dirPath)) {

diff --git a/test.ts b/test.ts
@@ -1,7 +1,8 @@
 import { decode, encode } from "https://deno.land/[email protected]/encoding/utf8.ts";
 import { join } from "https://deno.land/[email protected]/path/mod.ts";
-import { assertEquals } from "https://deno.land/[email protected]/testing/asserts.ts";
+import { assert, assertEquals, assertThrows, assertThrowsAsync } from "https://deno.land/[email protected]/testing/asserts.ts";
 import { JSZip, readZip, zipDir } from "./mod.ts";
+import { exists } from "https://deno.land/[email protected]/fs/mod.ts";
 
 // FIXME use tmp directory and clean up.
 async function exampleZip(path: string, createDirectories = true) {
@@ -20,6 +21,19 @@ async function exampleZip(path: string, createDirectories = true) {
   await zip.writeZip(path);
 }
 
+// Used for testing path exploits
+async function pathExploitExampleZip() {
+  const zip = new JSZip();
+  zip.addFile("../Hello.txt", "Hello World\n");
+
+  const tempFileName = await Deno.makeTempFile({
+    suffix: ".zip"
+  });
+
+  await zip.writeZip(tempFileName);
+  return tempFileName;
+}
+
 async function fromDir<T>(dir: string, f: () => Promise<T>) {
   const cwd = Deno.cwd();
   Deno.chdir(dir);
@@ -94,4 +108,22 @@ Deno.test("unzip without dir", async () => {
 
   const smile = await Deno.readFile(join(dir, "images", "smile.gif"));
   assertEquals("", decode(smile));
+});
+
+Deno.test("unzip exploit test", async () => {
+  const dir = await Deno.makeTempDir();
+  const unpackDir = join(dir, "unpack");
+  await Deno.mkdir(unpackDir);
+
+  const zipFile = await pathExploitExampleZip();
+  const z = await readZip(zipFile);
+
+  await Deno.remove(zipFile);
+
+  assertThrowsAsync(async () => await z.unzip(unpackDir));
+  assert(!(await exists(join(dir, "Hello.txt"))));
+
+  await Deno.remove(dir, {
+    recursive: true
+  });
 });