Archive is vulnerable to symlink path traversal
Closed this issue · 2 comments
Hello,
while doing some security testing on archive
package, we noticed that it supports symlinks, while symlinks might be an intended functionality of your package, we do believe that symlinks pointing outside the extraction directory are more of a security risk than a feature, below is an example where we created a symlink pointing to a file secret.txt
in the parent directory, zipped it and extracted it using extractFileToDisk
method from archive
package, the symlink was created back after extraction.
I updated extractArchiveToDisk and extractFileToDisk to not create symlinks that begin with '..' or '/', which would be outside of the extracted path.
@brendan-duncan you could consider referencing the CVE in your changelog:
GHSA-9v85-q87q-g4vg