Path traversal bug in extractor.go at function outputpath


**Impact:**

The latest version of pzip/punzip v0.2.2 has a path traversal vulnerability that allows the attacker to create or write to files outside the current directory for .zip archive.



**How to reproduce:**

```
wget https://github.com/ybirader/pzip/archive/refs/tags/v0.2.2.tar.gz 
tar -xzf v0.2.2.tar.gz 
cd pzip-0.2.2/
cd cmd/punzip/ && go build

# place pocpos.zip in this directory
./punzip pocpoc.zip 

# verify attack worked
cat ../poc/testtest.txt

````

**Root cause:**

The root cause is a missing sanitization function that prevents path traversal before reaching sink function writeFile ([os.OpenFile](https://github.com/ybirader/pzip/blob/9eb13490a5a50cc90eb522783ce372a55bcd5196/extractor.go#L123) line 123) due to unsafe path join at [filepath.Join](https://github.com/ybirader/pzip/blob/9eb13490a5a50cc90eb522783ce372a55bcd5196/extractor.go#L155).


**Proposed fix:**

I have created [PR](https://github.com/ybirader/pzip/pull/14#issue-3867474308) for a proposed fix that ensures the extraction of archive files inside the intended directory.

**PoC image:** 
 `pocpoc.zip`: [pocpoc.zip](https://github.com/user-attachments/files/24921757/pocpoc.zip)



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Path traversal bug in extractor.go at function outputpath #15

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Path traversal bug in extractor.go at function outputpath #15

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions