[Security] Arbitrary File Write via Symlink Path Traversal (Zip Slip) #114
Description
Summary
rarfile allows arbitrary file writes outside the extraction directory when extracting crafted RAR archives containing symlinks. The symlink target path is passed directly to os.symlink() without validation.
Details
In rarfile.py, _make_symlink() uses info.file_symlink directly without checking if target escapes extraction directory. sanitize_filename() only sanitizes the entry name, not the symlink target.
PoC
Craft RAR with: symlink 'link' -> '../../../tmp/pwned', then file 'link/evil.txt'. On extract, evil.txt is written to /tmp/pwned/ outside extract dir.
Impact
- Arbitrary file write -> potential RCE
- ~1.5M monthly PyPI downloads
- CVSS 7.5 (High), CWE-22, CWE-59
References: CVE-2018-1000001 (Zip Slip), Snyk Zip Slip research