Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add entry url validation for unzip utility. Defends against Zip Slip #491

Merged
merged 5 commits into from
Jan 7, 2021
Merged

Add entry url validation for unzip utility. Defends against Zip Slip #491

merged 5 commits into from
Jan 7, 2021

Conversation

cdhoffmann
Copy link
Contributor

Changes to validate that the entries within a zip archive have valid paths. Defends against Zip Slip attack.

@codecov
Copy link

codecov bot commented Jan 7, 2021
edited
Loading

Codecov Report

Merging #491 (8a23742) into dev (8af4af1) will increase coverage by 0.70%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##              dev     #491      +/-   ##
==========================================
+ Coverage   87.08%   87.79%   +0.70%     
==========================================
  Files          92       92              
  Lines        4103     4110       +7     
==========================================
+ Hits         3573     3608      +35     
+ Misses        530      502      -28

shalehaha
shalehaha reviewed Jan 7, 2021
View reviewed changes
AEPServices/Sources/utility/unzip/FileUnzipper.swift
private func isValidPath(_ entryUrl: URL, destination: URL) -> Bool {
let destinationComponents = canonicalize(destination).pathComponents
let entryComponents = canonicalize(entryUrl).pathComponents
return destinationComponents.count < entryComponents.count && !zip(destinationComponents, entryComponents).contains(where: !=)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

interesting, learnt a new method zip

shalehaha
shalehaha approved these changes Jan 7, 2021
View reviewed changes
Copy link
Contributor

@shalehaha shalehaha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. @cdhoffmann have you manually tested this change?

@cdhoffmann
Copy link
Contributor Author

cdhoffmann commented Jan 7, 2021
edited
Loading

Looks good to me. @cdhoffmann have you manually tested this change?

The test i wrote uses the same zip file found in the android tests. It has an entry in the archive named "../Makefile". If you breakpoint through the test you can see it. Lmk if there are other manual tests you think i should do. @jiabingeng

@jiabingeng
Copy link
Contributor

@cdhoffmann it'd be better if you can quickly test it on a physical device.

@cdhoffmann
Copy link
Contributor Author

@cdhoffmann it'd be better if you can quickly test it on a physical device.

@shalehaha Verified on iPhone 12 Pro iOS 14.2.1

@shalehaha shalehaha merged commit 7cd24c4 into adobe:dev Jan 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shalehaha shalehaha shalehaha approved these changes

@yangyansong-adbe yangyansong-adbe yangyansong-adbe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cdhoffmann @jiabingeng @shalehaha @yangyansong-adbe