ZIP Slip

Many web applications allows users to submit files in a compressed format (usually zip file format) to reduce the size of the file that is being uploaded. Later, the application will decompress the compressed files and gets back the actual files in the zip.

ZIP Slip is a highly critical security vulnerability aimed at these kind of applications. ZIP Slip makes your application vulnerable to Path traversal attack and Sensitive data exposure.

                                          [/root]
                                          /   |    \
                                   [/usr1] [/usr2] [/usr3]
                                      |               |
                                 [details.zip]    [details.zip]
                                     /               \
                     [resume.doc][marksheet.pdf] [resume.doc][marksheet.pdf]
  

Consider your application accepts zip file containing candidates’ personal/academic details and auto fills the application form for the user. Ideally the application should unzip the compressed file, read files in the zip one by one, extract meaningful information from the file and finally auto fill the form with corresponding data.

This is done with the help of the code snippet below,

filter_none

edit
close

play_arrow

link
brightness_4
code

while ((entry = zIn.getNextEntry()) != null) {
    String fileName = entry.getName();
    File zFile = new File(destFolder + File.separator + fileName);
    InputStream input = zip.getInputStream(entry);
    // Write the file content
}

chevron_right


If the application doesn’t validate the filenames in the uploaded zip, it is vulnerable to ZIPSlip attack. The user might upload the zip with a specifically crafted file name. In this case a zip with file name
“../usr3/resume.doc” might read the file of the directory /usr3 to which usr1 don’t have any access. This results in sensitive data exposure.



This is because ../ is treated as one level up in the directory structure on Unix based systems.

Here in line #3 of code, we do a simple append operation with fileName and destFolder without any validation. We should have validated these variable values and/or should’ve checked whether zFile is the appropriate directory to which we give write access, missing which the application becomes vulnerable to ZIP Slip attacks.

On worst cases, this could even result in remote access/code execution when the user is able to execute commands or shell scripts in remote fashion. Using this attack, An attacker could gain access to certain directories/folders in the file system outside the intended/privileged folder and can invoke/overwrite files.

It is not even necessary for the attacker to know your directory structure as critical system files from tomcat/apache like etc/passwd etc/hosts can be read since they follow the same directory structure.

Possible Solutions

  1. Force users to name files with standard names.
  2. Strip special characters in file names.
  3. Match and compare filenames with standard regular expressions.
  4. Rename all files in the uploaded zip with generated names before actually using/storing them


My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.