-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add entry url validation for unzip utility. Defends against Zip Slip #491
Conversation
Codecov Report
@@ Coverage Diff @@
## dev #491 +/- ##
==========================================
+ Coverage 87.08% 87.79% +0.70%
==========================================
Files 92 92
Lines 4103 4110 +7
==========================================
+ Hits 3573 3608 +35
+ Misses 530 502 -28 |
private func isValidPath(_ entryUrl: URL, destination: URL) -> Bool { | ||
let destinationComponents = canonicalize(destination).pathComponents | ||
let entryComponents = canonicalize(entryUrl).pathComponents | ||
return destinationComponents.count < entryComponents.count && !zip(destinationComponents, entryComponents).contains(where: !=) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
interesting, learnt a new method zip
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. @cdhoffmann have you manually tested this change?
The test i wrote uses the same zip file found in the android tests. It has an entry in the archive named "../Makefile". If you breakpoint through the test you can see it. Lmk if there are other manual tests you think i should do. @jiabingeng |
@cdhoffmann it'd be better if you can quickly test it on a physical device. |
@shalehaha Verified on iPhone 12 Pro iOS 14.2.1 |
Changes to validate that the entries within a zip archive have valid paths. Defends against Zip Slip attack.