Improve ZipSlip sanitization and output-dir checks

Strengthen path sanitization and guard extraction from directory escape. FileEntry.ZipSlipSanitize was made internal and enhanced to normalize separators, strip Windows drive roots and leading separators, remove ".." sequences, and collapse double separators. Extractor now resolves full target paths and ensures they start with the resolved output directory (sync, parallel, and async extraction), skipping and logging entries that would escape. Added comprehensive unit tests (SanitizePathTests) covering absolute paths, drive roots, traversal, combined attacks, separator collapsing, and FileEntry behavior.

Author: gfs

RecursiveExtractor.Tests/SanitizePathTests.cs

@@ -35,6 +35,131 @@ public void TestSanitizePathLinux(string linuxInputPath, string expectedLinuxPat
             }
         }
 
+        /// <summary>
+        /// ZipSlipSanitize should strip leading slashes to prevent absolute path traversal.
+        /// On any OS, a Unix-style absolute path like "/etc/passwd" must become relative.
+        /// </summary>
+        [Theory]
+        [InlineData("/etc/passwd", "etc/passwd")]
+        [InlineData("/tmp/evil.txt", "tmp/evil.txt")]
+        [InlineData("///triple/leading", "triple/leading")]
+        [InlineData("/", "")]
+        public void TestZipSlipSanitize_AbsoluteUnixPaths(string input, string expected)
+        {
+            // Normalize expected to the current OS separator
+            expected = expected.Replace('/', Path.DirectorySeparatorChar);
+            var result = FileEntry.ZipSlipSanitize(input);
+            Assert.Equal(expected, result);
+        }
+
+        /// <summary>
+        /// ZipSlipSanitize should strip Windows drive letter roots.
+        /// </summary>
+        [Theory]
+        [InlineData("C:\\Windows\\System32\\evil.dll", "Windows/System32/evil.dll")]
+        [InlineData("D:/data/file.txt", "data/file.txt")]
+        [InlineData("C:\\", "")]
+        [InlineData("C:/", "")]
+        public void TestZipSlipSanitize_AbsoluteWindowsPaths(string input, string expected)
+        {
+            expected = expected.Replace('/', Path.DirectorySeparatorChar);
+            var result = FileEntry.ZipSlipSanitize(input);
+            Assert.Equal(expected, result);
+        }
+
+        /// <summary>
+        /// ZipSlipSanitize should strip ".." directory traversal components.
+        /// </summary>
+        [Theory]
+        [InlineData("foo/../../../etc/passwd", "foo/etc/passwd")]
+        [InlineData("../secret.txt", "secret.txt")]
+        [InlineData("a/b/../../c", "a/b/c")]
+        public void TestZipSlipSanitize_DotDotTraversal(string input, string expected)
+        {
+            expected = expected.Replace('/', Path.DirectorySeparatorChar);
+            var result = FileEntry.ZipSlipSanitize(input);
+            Assert.Equal(expected, result);
+        }
+
+        /// <summary>
+        /// ZipSlipSanitize should handle combined absolute + traversal attacks.
+        /// After ".." is stripped, exposed leading separators are also stripped.
+        /// </summary>
+        [Theory]
+        [InlineData("/../../etc/passwd", "etc/passwd")]
+        [InlineData("C:\\..\\..\\Windows\\evil.dll", "Windows/evil.dll")]
+        [InlineData("/../../../tmp/evil", "tmp/evil")]
+        public void TestZipSlipSanitize_CombinedAbsoluteAndTraversal(string input, string expected)
+        {
+            expected = expected.Replace('/', Path.DirectorySeparatorChar);
+            var result = FileEntry.ZipSlipSanitize(input);
+            Assert.Equal(expected, result);
+        }
+
+        /// <summary>
+        /// ZipSlipSanitize should collapse double separators that result from stripping.
+        /// </summary>
+        [Theory]
+        [InlineData("a/../b", "a/b")]
+        [InlineData("a/../../b", "a/b")]
+        public void TestZipSlipSanitize_CollapsesDoubleSeparators(string input, string expected)
+        {
+            expected = expected.Replace('/', Path.DirectorySeparatorChar);
+            var result = FileEntry.ZipSlipSanitize(input);
+            Assert.Equal(expected, result);
+        }
+
+        /// <summary>
+        /// Safe relative paths should pass through unmodified.
+        /// </summary>
+        [Theory]
+        [InlineData("normal/path/file.txt", "normal/path/file.txt")]
+        [InlineData("file.txt", "file.txt")]
+        [InlineData("a/b/c/d.txt", "a/b/c/d.txt")]
+        public void TestZipSlipSanitize_SafePathsUnchanged(string input, string expected)
+        {
+            expected = expected.Replace('/', Path.DirectorySeparatorChar);
+            var result = FileEntry.ZipSlipSanitize(input);
+            Assert.Equal(expected, result);
+        }
+
+        /// <summary>
+        /// FileEntry.FullPath should never be absolute when constructed with a parent,
+        /// even if the entry name is an absolute path.
+        /// </summary>
+        [Fact]
+        public void TestFileEntry_AbsoluteEntryName_BecomesRelative()
+        {
+            var parent = new FileEntry("archive.zip", Stream.Null);
+            var child = new FileEntry("/etc/cron.d/evil", Stream.Null, parent);
+            Assert.False(Path.IsPathRooted(child.FullPath),
+                $"FullPath should be relative but was: {child.FullPath}");
+            Assert.DoesNotContain("..", child.FullPath);
+        }
+
+        /// <summary>
+        /// FileEntry.FullPath should not contain ".." even when the entry name has traversal.
+        /// </summary>
+        [Fact]
+        public void TestFileEntry_TraversalEntryName_Sanitized()
+        {
+            var parent = new FileEntry("archive.tar", Stream.Null);
+            var child = new FileEntry("../../../etc/passwd", Stream.Null, parent);
+            Assert.DoesNotContain("..", child.FullPath);
+        }
+
+        /// <summary>
+        /// Backslash-rooted paths should also be made relative.
+        /// </summary>
+        [Fact]
+        public void TestFileEntry_BackslashRooted_BecomesRelative()
+        {
+            var parent = new FileEntry("archive.zip", Stream.Null);
+            var child = new FileEntry("\\Windows\\System32\\evil.dll", Stream.Null, parent);
+            Assert.False(Path.IsPathRooted(child.FullPath),
+                $"FullPath should be relative but was: {child.FullPath}");
+        }
+
         protected static readonly NLog.Logger Logger = NLog.LogManager.GetCurrentClassLogger();
     }
 }

RecursiveExtractor/Extractor.cs

@@ -495,9 +495,16 @@ public ExtractionStatusCode ExtractToDirectory(string outputDirectory, FileEntry
             opts ??= new ExtractorOptions();
             if (!opts.Parallel)
             {
+                var fullOutputDir = Path.GetFullPath(outputDirectory) + Path.DirectorySeparatorChar;
                 foreach (var entry in Extract(fileEntry, opts))
                 {
                     var targetPath = Path.Combine(outputDirectory, entry.GetSanitizedPath());
+                    var fullTargetPath = Path.GetFullPath(targetPath);
+                    if (!fullTargetPath.StartsWith(fullOutputDir, StringComparison.Ordinal))
+                    {
+                        Logger.Warn("Skipping entry that would escape output directory: {0}", entry.FullPath);
+                        continue;
+                    }
                     if (Path.GetDirectoryName(targetPath) is { } directoryPathNotNull && targetPath is { } targetPathNotNull)
                     {
                         try
@@ -537,6 +544,7 @@ public ExtractionStatusCode ExtractToDirectory(string outputDirectory, FileEntry
                     using var enumerator = extractedEnumeration.GetEnumerator();
                     // Move to the first element to prepare
                     ConcurrentBag<FileEntry> entryBatch = new();
+                    var parallelFullOutputDir = Path.GetFullPath(outputDirectory) + Path.DirectorySeparatorChar;
                     bool moreAvailable = enumerator.MoveNext();
                     while (moreAvailable)
                     {
@@ -559,6 +567,12 @@ public ExtractionStatusCode ExtractToDirectory(string outputDirectory, FileEntry
                         Parallel.ForEach(entryBatch, new ParallelOptions() { CancellationToken = cts.Token }, entry =>
                         {
                             var targetPath = Path.Combine(outputDirectory, entry.GetSanitizedPath());
+                            var fullTargetPath = Path.GetFullPath(targetPath);
+                            if (!fullTargetPath.StartsWith(parallelFullOutputDir, StringComparison.Ordinal))
+                            {
+                                Logger.Warn("Skipping entry that would escape output directory: {0}", entry.FullPath);
+                                return;
+                            }
 
                             if (Path.GetDirectoryName(targetPath) is { } directoryPathNotNull && targetPath is { } targetPathNotNull)
                             {
@@ -645,11 +659,18 @@ public async Task<ExtractionStatusCode> ExtractToDirectoryAsync(string outputDir
         /// <param name="printNames">If we should print the filename when writing it out to disc.</param>
         public async Task<ExtractionStatusCode> ExtractToDirectoryAsync(string outputDirectory, FileEntry fileEntry, ExtractorOptions? opts = null, IEnumerable<Regex>? acceptFilters = null, IEnumerable<Regex>? denyFilters = null, bool printNames = false)
         {
+            var asyncFullOutputDir = Path.GetFullPath(outputDirectory) + Path.DirectorySeparatorChar;
             await foreach (var entry in ExtractAsync(fileEntry, opts))
             {
                 if (opts?.FileNamePasses(entry.FullPath) ?? true)
                 {
                     var targetPath = Path.Combine(outputDirectory, entry.GetSanitizedPath());
+                    var fullTargetPath = Path.GetFullPath(targetPath);
+                    if (!fullTargetPath.StartsWith(asyncFullOutputDir, StringComparison.Ordinal))
+                    {
+                        Logger.Warn("Skipping entry that would escape output directory: {0}", entry.FullPath);
+                        continue;
+                    }
 
                     if (Path.GetDirectoryName(targetPath) is { } directoryPathNotNull && targetPath is { } targetPathNotNull)
                     {

RecursiveExtractor/FileEntry.cs

@@ -297,23 +297,48 @@ public static async Task<FileEntry> FromStreamAsync(string name, Stream content,
         }
 
         /// <summary>
-        /// Replace .. for ZipSlip and remove any doubled up directory separators as a result - https://snyk.io/research/zip-slip-vulnerability
+        /// Sanitize paths to prevent ZipSlip (directory traversal) and absolute path traversal.
+        /// Strips leading directory separators and drive letter roots, removes ".." sequences,
+        /// and collapses resulting double separators. See https://snyk.io/research/zip-slip-vulnerability
         /// </summary>
         /// <param name="fullPath">The path to sanitize</param>
         /// <param name="replacement">The string to replace .. with</param>
-        /// <returns>A path without ZipSlip</returns>
+        /// <returns>A relative path safe from directory traversal</returns>
         [Pure]
-        private static string ZipSlipSanitize(string fullPath, string replacement = "")
+        internal static string ZipSlipSanitize(string fullPath, string replacement = "")
         {
+            // Normalize all separators to the OS-native separator
+            fullPath = fullPath.Replace('\\', Path.DirectorySeparatorChar).Replace('/', Path.DirectorySeparatorChar);
+
+            // Strip Windows drive letter roots (e.g., "C:\", "D:/")
+            if (fullPath.Length >= 2 && char.IsLetter(fullPath[0]) && fullPath[1] == ':')
+            {
+                fullPath = fullPath.Substring(2);
+            }
+
+            // Strip leading directory separators to prevent absolute path traversal
+            while (fullPath.Length > 0 && fullPath[0] == Path.DirectorySeparatorChar)
+            {
+                fullPath = fullPath.Substring(1);
+            }
+
             if (fullPath.Contains(".."))
             {
                 fullPath = fullPath.Replace("..", replacement);
-                var directorySeparator = Path.DirectorySeparatorChar.ToString();
-                var doubleSeparator = $"{directorySeparator},{directorySeparator}";
-                while (fullPath.Contains(doubleSeparator))
-                {
-                    fullPath = fullPath.Replace(doubleSeparator, $"{directorySeparator}");
-                }
+            }
+
+            // Strip leading separators again (removal of ".." can expose them, e.g. "../x" → "/x")
+            while (fullPath.Length > 0 && fullPath[0] == Path.DirectorySeparatorChar)
+            {
+                fullPath = fullPath.Substring(1);
+            }
+
+            // Collapse double separators (can result from .. removal or root stripping)
+            var directorySeparator = Path.DirectorySeparatorChar.ToString();
+            var doubleSeparator = $"{directorySeparator}{directorySeparator}";
+            while (fullPath.Contains(doubleSeparator))
+            {
+                fullPath = fullPath.Replace(doubleSeparator, directorySeparator);
             }
 
             return fullPath;