This is an intentionally vulnerable application. It was purposely designed to demonstrate the capabilities of Snyk's Reachable Vulnerabilities feature and includes both a "Reachable" vulnerability (with a direct data flow to the vulnerable function) and a "Potentially Reachable" vulnerability (where only partial data exists for determining reachability).
An exploit is using a vulnerability called ZipSlip - a critical vulnerability discovered
by Snyk, which typically results in remote command execution. As part of the exploit, a special zip archive is
crafted (attached as malicious_file.zip
). When this file is extracted by a vulnerable function, it will create a file
called good.txt
in the folder unzipped
, but it will also create a file called evil.txt
in the /tmp/
folder.
This example is not dangerous, of course, but demonstrates the risk the vulnerability poses - imagine overwriting .ssh/authorized_keys
or another sensitive file.
This vulnerability is not exploited. It demonstrates potentially vulnerable code, for which data about vulnerable functions is not available.
- Checkout this repository (
git checkout git@github.com:snyk/java-reachability-playground.git
) - Install all the dependencies (
mvn install
) - Compile the project (
mvn compile
) - Run the main class (
mvn exec:java -Dexec.mainClass=Unzipper
); the application should throw an exception sayingMalicious file /tmp/evil.txt was created
. - Run snyk command with Reachable Vulnerabilities flag (
snyk test --reachable
orsnyk monitor --reachable
); you should see the vulnerabilitySNYK-JAVA-ORGND4J-72550
marked as reachable and the function call path to the vulnerability
- Make sure you build the artifacts with
./gradlew build
- To see test results run
snyk test --file=build.gradle --reachable
or monitor:snyk monitor --file=build.gradle --reachable
Note: Once the java application is run, malicious_file.zip
will be deleted by it. To run it again, run git checkout .
prior
to next java run.