Zip Path Traversal vulnerability

[pwntester]

The unzip APIs are vulnerable to a Zip entry path manipulation (see: https://snyk.io/research/zip-slip-vulnerability) . The library fails to check that the extracted file is going to be created under the destination folder.

A possible fix involves sanitizing the entry name returned by OZFileInZipInfo.name so that it does not contains ..

Also documentation should recommend normalizing the path before writing to disk:

OZZipFile *unzipFile= [[OZZipFile alloc] initWithFileName:@"test.zip"
    mode:OZZipFileModeUnzip];

[unzipFile goToFirstFileInZip];
OZFileInZipInfo *info= [unzipFile getCurrentFileInZipInfo];

OZZipReadStream *read= [unzipFile readCurrentFileInZip];
NSMutableData *data= [[NSMutableData alloc] initWithLength:info.length];
[read readDataWithBuffer:data];

// Do something with data

[read finishedReading];

So adding something like:

NSString *fullName = [NSString stringWithFormat:@"%@/%@", destPath, entry.name];
    
NSString* normalizedName = [fullName stringByStandardizingPath];
if ([normalizedName hasPrefix:destPath]) {
       // extract
} else {
       // fail
}

Cheers,

A

[gianlucabertani]

Thanks for reporting. Will take a look into this.