Archive is vulnerable to symlink path traversal
Closed this issue · 2 comments
Hello,
while doing some security testing on archive package, we noticed that it supports symlinks, while symlinks might be an intended functionality of your package, we do believe that symlinks pointing outside the extraction directory are more of a security risk than a feature, below is an example where we created a symlink pointing to a file secret.txt in the parent directory, zipped it and extracted it using extractFileToDisk method from archive package, the symlink was created back after extraction.
Screenshot from my workstation
Screenshot from my test mobile device
I updated extractArchiveToDisk and extractFileToDisk to not create symlinks that begin with '..' or '/', which would be outside of the extracted path.
@brendan-duncan you could consider referencing the CVE in your changelog:
GHSA-9v85-q87q-g4vg