ZIP Slip vulnerability

[kukuxumushi]

Description

Attackers can create Zip archives that use path traversal to overwrite important files on affected systems, destroying them or replacing them with malicious alternatives or upload a new one with a malicious code.

How to reproduce

1. Create file with some code, for example:

<?php
phpinfo();
?>

2. Name it somehow like this "xxxphpinfo.php".
3. Create a zip archive.
4. Open zip archive in hex editor. Change xxx to ../ in two places: in the top of the hex and in the bottom.
5. Pass modified archive to the Ne-Lexa/php-zip extraction function. For example:

Zipper::make('phpinfo.zip')->folder('')->extractTo('uploads/');

I don't have folders in archive, but with and without it works the same.
6) Navigate to ../uploads and execute phpinfo.php.

Possible Solution

Use php zlib or somehow escape ../ characters.

Additional context

More about vulnerability:
https://snyk.io/research/zip-slip-vulnerability
Archive example:
php2.zip

[Chumper]

As far as I can see this is fixed with PHP 5.7.
So users should upgrade their PHP version.
As we are only relying on the ZIP module of PHP we cannot fix it for them.

[kukuxumushi]

I have php 7.3.7.

[Chumper]

I see.
I haven't worked with this code in a long time, but I see that we get the file content and put it into the file system on our own here: https://github.com/Chumper/Zipper/blob/master/src/Chumper/Zipper/Zipper.php#L623

We could use ltrim($tmpPath , "/."); to be safe.