7/5/2023 0 Comments Ruby zip cpgz![]() Irb (main ):004:0> destination_folder = Pathname.new (parent_directory + "././path/traversal" ) => # Irb (main ):003:0> entry_path = Pathname.new (parent_directory + File.dirname ( "././path/traversal" )) => # Irb (main ):002:0> parent_directory = Pathname.new ( "/tmp/random_uuid/" ) => # Irb (main ):001:0> require 'pathname' => true In order to verify the library bug we generated a ZIP PoC using the old (and still good) evilarc, and extracted the malicious file using the following code: While the Entry#name_safe is a fair check against path traversals (and absolute paths), it is only executed when the function is called without arguments. # NB: The caller is responsible for making sure dest_path is safe, if it is passed. A comment in the source code of that function highlights the user’s responsibility: ![]() ![]() In the code above, if the destination path is passed to the Entry#extract function then it is not actually checked. relative? root = :: File :: SEPARATOR naive_expanded_path = :: File. # Is the name a relative path, free of `.` patterns that could lead to # path traversal attacks? This does NOT handle symlinks if the path # contains symlinks, this check is NOT enough to guarantee safety.
0 Comments
Leave a Reply. |