title: Secure Coding .NET categories: [cheatsheets]
using (ZipFile zipFile = new ZipFile(filename)) // filename = C:\SomePath\malicious.IFXRep
{
zipFile.Password = null;
foreach (object obj in zipFile)
{
ZipEntry zipEntry = (ZipEntry)obj; // zipEntry loops every File in the Archive
if (zipEntry.IsFile)
{
string name = zipEntry.Name; // name = ..\..\..\..\..\..\malicous\path\traversal\malicious.exe"
byte[] buffer = new byte[4096];
Stream inputStream = zipFile.GetInputStream(zipEntry);
/*
This is the dangerous part! The Path Traversal and the extraction path are combined.
-> "C:\EasyApe\extract\<pid>" + "..\..\..\" = Malicious Path Traversal
The vulnerability here is in the usage of the library and not in the library itself.
*/
string path2 = Path.Combine(path, name);
string directoryName = Path.GetDirectoryName(path2);
if (directoryName != null && directoryName.Length > 0)
{
Directory.CreateDirectory(directoryName);
}
using (FileStream fileStream = File.Create(path2))
{
StreamUtils.Copy(inputStream, fileStream, buffer);
}
}
}
}
A fast way of doing this correctly:
using (FastZip zipFile = new FastZip()) {
zipFile.ExtractZip(filename, "%APPDATA%\Local\EasyAPEPro\EasyAPE\extract\<pid>\")
}