Validate symlink targets during ZIP extraction to prevent path traversal#2667
Validate symlink targets during ZIP extraction to prevent path traversal#2667rm335 wants to merge 2 commits into
Conversation
|
We don't want to manually modify any code under |
ec20b7f to
a6e9b04
Compare
|
Good call! The embedded |
|
I have not reviewed these changes because CI is currently failing. |
|
I did only pull merge request if there is anything you need me to do let me know |
|
I'm going to close this PR since CI is failing, please feel free to re-open if you address the build failures |
|
I was requesting the pull for new builds or to update if any |
Summary
.lottie(ZIP) extractionisContained(in:), but symlink targets were not — a malicious.lottiefile could create symlinks pointing to arbitrary system files (e.g.,/etc/passwd)allowedDestinationparameter toArchive.extract(_:to:...)and pass the destination directory fromunzipItem, so symlink targets (both absolute and relative) are resolved and validated before creationTest plan
swift buildsucceeds (confirmed locally).lottieZIP containing a symlink with an absolute target outside the extraction directory (e.g.,/etc/passwd) and confirm extraction throwsCocoaError(.fileReadInvalidFileName).lottieZIP containing a symlink with a relative target escaping via../../and confirm extraction throws.lottieZIP containing a symlink with a valid relative target within the extraction directory and confirm extraction succeeds