Potential Path traversal vulnerability report

[LQxdu]

Promblem Statement

We recently discovered that the patch for the historical vulnerability CVE-2018-1002201 in zt-zip is incomplete.
zt-zip added the following checks to restrict arbitrary malicious file creation and writing:

+ if (name.indexOf("..") != -1 && !destFile.getCanonicalPath().startsWith(outputDir.getCanonicalPath())) {
+      throw new MaliciousZipException(outputDir, name);
+    }

However, an attacker could craft a malicious request to bypass this patch. For security reasons, we are not providing the specific exploit here. As a reference, a similar incomplete fix occurred in Tomcat. CVE-2020-9484 used the same method to address the vulnerability, but CVE-2021-25329 exposed the shortcomings of that fix.

The patch for CVE-2020-9484(apache/tomcat@bb33048#diff-d2801d6b9c9ff6f98a6871accb7e61499ed3899f5234028997387ad65906e5e7):

+        if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
+            log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
+            return null;
+        }

The patch for CVE-2021-25329(apache/tomcat@6d66e99)

 -       if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
 +       if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {

Recommended Fix (pr##158)

-  if (name.indexOf("..") != -1 && !destFile.getCanonicalPath().startsWith(outputDir.getCanonicalPath())) {
+ if (name.indexOf("..") != -1 && !destFile.getCanonicalFile().toPath().startsWith(outputDir.getCanonicalFile().toPath())) {
+      throw new MaliciousZipException(outputDir, name);
+    }

[nemecec]

Thanks for notifying! Could you provide a PR?