Introduction

When unzipping, while very rare, some archives can have items whose names contain directory traversal elements like the parent directory "..". With enough of these put together, the effective target file can be computed to be outside the base destination folder specified for the unzip operation.

The Zip specification does allow directory traversal elements in the name of zipped items. As such, those archives are not considered invalid and the components support them. However, the construct can be abused to overwrite important files outside the control of an application. This has been called by security researchers the Zip Slip vulnerability in June 2018.

Is this cause for worry

If an application unzips archives that have been created by Xceed components or other reputable zip tools and libraries, there is no cause to worry. These tools do not allow the creation of zip archive that contain directory traversal elements. This is the overwhelming majority of scenarios.

If an application is meant to unzip archives receives from unknown sources, then measures can be taken to prevent files from being created outside the destination directory if the behavior is not desired.

Which components are affected

Xceed Zip for .NET, Xceed Zip for Xamarin, Xceed Zip for .NET Standard, Xceed Zip for COM/ActiveX and Xceed Zip for x64 will all honor the directory traversal elements in a zipped item name when the automatic unzip methods like CopyTo() and MoveTo() are used.

If an application uses its own custom code to identity and select items to be unzipped, then the vulnerability can be avoided by checking the effective destination path to see if it is outside the base destination folder.

When using automatic methods, an application can monitor the destination path of each item that will be unzipped and exclude those that would fall outside the base destination folder.

Which components are not affected

Xceed Real-Time Zip for .NET, Xceed Real-Time Zip for Xamarin, Xceed Real-Time Zip for .NET Standard and Xceed Real-Time for Silverlight are not affected directly because they do not offer an automatic way to unzip an archive.

It is up to the application code to validate the destination path of each item unzipped from the archive.

Example solution

The AddingItemToProcess event can be used to filter out potentially dangerous zipped items whose names contain relative path elements (like ..\..\) that, during an unzip operation can create or overwrite files outside of the base destination folder.

public static void ZipSlip()
{
  AbstractFile zipFile = new DiskFile( "ZipSlip1.zip" );

  if( !zipFile.Exists )
    throw new InvalidProgramException( "The zip file must exist for this example to work correctly" );

  // Create a logical zip archive around the zip file
  ZipArchive zip = new ZipArchive( zipFile );

  // Create a FileSystemEvents object
  FileSystemEvents events = new FileSystemEvents();

  // Subscribe to the AddingItemToProcess event
  events.AddingItemToProcess += OnAddingItemToProcessExclude;

  // Setup a destination folder
  AbstractFolder destinationFolder = new DiskFolder( @"D:\ZipSlip\Output" );

  // User the destination folder as userData
  object userData = destinationFolder;

  // Unzip the contents of the archive
  zip.CopyFilesTo( events, userData, destinationFolder, true, true );
}

private static void OnAddingItemToProcessExclude( object sender, ItemProcessingEventArgs e )
{
  // Retrieve the destination folder from the user data
  AbstractFolder destinationFolder = ( AbstractFolder ) e.UserData;
  string destinationFullname = destinationFolder.FullName;

  FileSystemItem destinationItem = e.TargetItem;
  string targetPath = destinationItem.FullName;

  // If the target path does not start with the destination path
  if( !targetPath.StartsWith( destinationFullname ) )
  {
    /* The zipped item contains relative path modifiers that make the destination
       go outside the base destination path. In some controlled situations, that
       might be ok, but we chose not to allow it here. We will exclude this item. */

    e.Excluded = true;
  }
}

Public Shared Sub ZipSlip()
  Dim zipFile As AbstractFile = New DiskFile("ZipSlip1.zip")

  If (Not zipFile.Exists) Then
    Throw New InvalidProgramException("The zip file must exist for this example to work correctly")
  End If

  ' Create a logical zip archive around the zip file
  Dim zip As New ZipArchive(zipFile)

  ' Create a FileSystemEvents object
  Dim events As New FileSystemEvents()

  ' Subscribe to the AddingItemToProcess event
  AddHandler events.AddingItemToProcess, AddressOf OnAddingItemToProcessExclude

  ' Setup a destination folder
  Dim destinationFolder As AbstractFolder = New DiskFolder("D:\ZipSlip\Output")

  ' User the destination folder as userData
  Dim userData As Object = destinationFolder

  ' Unzip the contents of the archive
  zip.CopyFilesTo(events, userData, destinationFolder, True, True)
End Sub

Private Shared Sub OnAddingItemToProcessExclude(ByVal sender As Object, ByVal e As ItemProcessingEventArgs)
  ' Retrieve the destination folder from the user data
  Dim destinationFolder As AbstractFolder = CType(e.UserData, AbstractFolder)
  Dim destinationFullname As String = destinationFolder.FullName

  Dim destinationItem As FileSystemItem = e.TargetItem
  Dim targetPath As String = destinationItem.FullName

  ' If the target path does not start with the destination path
  If (Not targetPath.StartsWith(destinationFullname)) Then
    ' The zipped item contains relative path modifiers that make the destination
    ' go outside the base destination path. In some controlled situations, that
    ' might be ok, but we chose not to allow it here. We will exclude this item. 

    e.Excluded = True
  End If
End Sub