[Y4-00006] Prevent All ZIP Slip Vulnerability

[4ra1n]

The ZIP Slip vulnerability is a security flaw affecting various applications, involving maliciously crafted ZIP files. This vulnerability exists in libraries and tools that handle ZIP files, especially those that do not correctly check or handle the file extraction paths. ZIP Slip can be used to overwrite important files on the file system, providing attackers with a means of attack.

Specifically, the ZIP Slip vulnerability exploits a feature of the ZIP file format that allows the inclusion of relative paths (such as ../) in file paths. When a ZIP file is extracted, if the application does not properly validate the file paths, these relative paths can be used to extract files to unexpected directories. For instance, an attacker might create a ZIP file containing a file with the path ../../etc/passwd. If the application does not properly check and handle such paths, it could lead to the overwriting of the /etc/passwd file, which is very dangerous for UNIX and Linux systems. Similarly, overwriting critical configuration files can lead to attacks like Remote Code Execution (RCE).

Regarding Java, the default ZipEntry does not take this scenario into account. Therefore, Y4-JDK opts to filter from ZipEntry.getName, which is sufficient to defend against the majority of cases.

ZIP Slip漏洞是一种针对各种应用程序的安全漏洞，它涉及恶意创建的ZIP文件。这种漏洞存在于处理ZIP文件的库和工具中，尤其是那些不正确检查或处理文件解压路径的程序。ZIP Slip可以被用来覆盖文件系统上的重要文件，从而给攻击者提供一个攻击途径

具体来说，ZIP Slip漏洞利用了ZIP文件格式的特性，允许在文件路径中包含相对路径（如 ../）。当ZIP文件被解压时，如果应用程序没有正确地验证文件路径，这些相对路径就可以被用来将文件解压到意料之外的目录。例如，攻击者可能会构造一个ZIP文件，包含一个路径为 ../../etc/passwd 的文件。如果应用程序没有妥善检查并处理这样的路径，就可能导致 /etc/passwd 文件被覆盖，这对于UNIX和Linux系统来说是非常危险的。类似地可以覆盖关键配置文件实现RCE等攻击

对于Java来说，默认的ZipEntry没有考虑到这种情况，所以Y4-JDK选择从ZipEntry.getName里进行过滤，这足以防御绝大多数情况