-
Type:
Vulnerability Detection
-
Status: Active
-
Resolution: Unresolved
-
Message:Refactor this code to not construct the extracted file/dir from tainted, user-controlled data.
-
Default Severity:Critical
-
Impact:High
-
Likelihood:Low
-
Targeted languages:C#, Java, PHP
-
Irrelevant for Languages:ABAP, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Objective-C, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
-
Remediation Function:Constant/Issue
-
Constant Cost:30min
-
Analysis Level:Abstract Interpretation
-
Analysis Scope:Main Sources
-
Common Rule:Yes
-
CERT:IDS04-J.
-
CWE:CWE-409
-
OWASP:A1
Libraries used to unarchive a file (zip, bzip2, tar, ...) do what they were made for: they extract the content of the archive blindly, creating on the filesystem directories and files corresponding exactly to the content of the archive. Using a specially crafted archive containing some path traversal filenames, it is possible to create directories/files outside of the dir where the archive is extracted. This can lead to overwriting an executable or a configuration file with a file containing malicious code and transform a simple archive into a way to execute arbitrary code.
See
- OWASP Top 10 2017 Category A1 - Injection
- MITRE, CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)
- CERT, IDS04-J. - Safely extract files from ZipInputStream
- Snyk Research Team: Zip Slip Vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2016-0709
- https://nvd.nist.gov/vuln/detail/CVE-2017-5946
1.
|
Java | RSPEC-4960 |
|
Active | Unassigned |
2.
|
C# | RSPEC-5052 |
|
Active | Unassigned |
