[Swift]: Unsafe Unpacking Query

Question

[Swift]: Unsafe Unpacking Query

maikypedia opened this issue a year ago · 7 comments

maikypedia commented a year ago

Query PR

github/codeql#14888

Language

Swift

CVE(s) ID list

CWE

CWE-022

Report

This query covers Unsafe Unpack vulnerability, unpacking from a malicious zip without properly validating that the destination file path
is within the destination directory, or allowing symlinks to point to files outside the extraction directory,
allows an attacker to extract files to arbitrary locations outside the extraction directory. Leading to overwrite sensitive user data and, in some cases, can lead to remote code execution.

I used a dataflow configuration looking for RemoteFlowSource flowing to the package unzipping. As Zip and ZIPFoundation only accept file paths and not raw data, I have introduced UnsafeUnpackAdditionalDataFlowStep to address scenarios where the file is downloaded remotely, ensuring that the remote file destination path is utilized in the unpacking process.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Yes
No

Blog post link

No response

Answer 1 · 2023-11-23T12:10:26.000Z

btw Swift is missing here :p

Answer 2 · 2024-01-25T10:17:04.000Z

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Answer 3 · 2024-02-01T11:50:35.000Z

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Answer 4 · 2024-02-06T18:29:21.000Z

Hi @maikypedia
The submission cannot move forward to payment before the PR is merged.
There are a few minor comments to the PR before it gets merged, can you please address them?

Answer 5 · 2024-02-13T18:49:40.000Z

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Answer 6 · 2024-02-13T18:49:59.000Z

Created Hackerone report 2372436 for bounty 550872 : [802] [Swift]: Unsafe Unpacking Query

Answer 7 · 2024-02-13T18:50:04.000Z

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed