Faults in hand-made archive file-processing software libraries spread flaw to thousands of open-source projects
Zip Slip is a widespread arbitrary file overwrite critical vulnerability, which typically results in remote command execution. It was discovered and disclosed by the Snyk Security team. This will affect thousands of projects including open-source web application projects.
In this case, the code snippets contain a vulnerability, dubbed Zip Slip, that exposes an application to a directory traversal attack. This flaw would allow an attacker to reach the root directory and from there enable remote command execution.
Exploitable application flow
The two parts required to exploit the application flow are malicious archive and extraction code that does not perform validation checking. To exploit Zip Slip, an attacker needs to use a specially crafted archive file containing extra directory paths designed to traverse up to the root directory as the file is extracted.
The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside the target folder in which they should reside.
Are you vulnerable?
You are vulnerable if you are either using a library which contains the Zip Slip vulnerability or your project directly contains vulnerable code, which extracts files from an archive without the necessary directory traversal validation.
The snyk security team is maintaining a Github repository listing all projects that have been found vulnerable to Zip Slip and have been responsibly disclosed to, including fix dates and versions. The repository is open to contributions from the wider community to ensure it holds the most up to date status.