CVE-2023-24057: SecurityAdvisory-0001

Package

maven org.hl7.fhir.publisher (Maven)

Affected versions

< 1.2.30

Impact

MITM can enable Zip-Slip.

Vulnerability****Vulnerability 1: Publisher.java

There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.

ZipInputStream zip = new ZipInputStream(npm.load("other", “ig-template.zip”));

byte[] buffer = new byte[2048];

ZipEntry entry;

while((entry = zip.getNextEntry())!=null) {

String filename = Utilities.path(adHocTmpDir, entry.getName());

String dir = Utilities.getDirectoryForFile(filename);

Utilities.createDirectory(dir);

FileOutputStream output = new FileOutputStream(filename);

int len = 0;

while ((len = zip.read(buffer)) > 0)

output.write(buffer, 0, len);

output.close();

}

Vulnerability 2: WebSourceProvider.java

There is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes.

try (ZipInputStream zis = new ZipInputStream(new ByteArrayInputStream(buf))) {

ZipEntry zipEntry = zis.getNextEntry();

while (zipEntry != null) {

Path newPath = Utilities.zipSlipProtect(zipEntry, target);

Files.delete(newPath);

zipEntry = zis.getNextEntry();

}

zis.closeEntry();

}

Vulnerability 3: ZipFetcher.java

This retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system.

try (ZipInputStream zis = new ZipInputStream(new ByteArrayInputStream(theZipFile))) {

Map<String, FetchedFile> dirs = new HashMap<String, FetchedFile>();

while (true) {

ZipEntry entry = zis.getNextEntry();

if (entry == null) {

myLogger.logMessage(“No more entries”);

break;

}

String entryName = entry.getName();

myLogger.logMessage(String.format("Found entry: {}", entryName));

FetchedFile ff = new FetchedFile(entryName);

ff.setPath(entryName);

ff.setName(SimpleFetcher.fileTitle(entryName));

ff.setTime(entry.getTime());

if (entry.isDirectory()) {

ff.setContentType(“application/directory”);

ff.setFolder(true);

if (entryName.endsWith(“/”)) {

entryName = entryName.substring(0, entryName.length() - 1);

ff.setPath(entryName);

}

dirs.put(entryName, ff);

// TODO: work this in

// for (File fl : f.listFiles())

// ff.getFiles().add(fl.getCanonicalPath());

} else {

ff.setFolder(false);

if (entryName.endsWith(“json”)) {

ff.setContentType(“application/fhir+json”);

} else if (entryName.endsWith(“xml”)) {

ff.setContentType(“application/fhir+xml”);

}

byte[] bytes = IOUtils.toByteArray(zis);

ff.setSource(bytes);

}

if (entryName.contains(“/”))

dirs.get(entryName.substring(0, entryName.lastIndexOf(“/”))).getFiles().add(entryName);

myFiles.put(normalisePath(entryName), ff);

}

} catch (IOException e) {

// should not happen

throw new Error(e);

}

}

Vulnerability 4: IGPack2NpmConvertor.java

The loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system.

private Map<String, byte[]> loadZip(InputStream stream) throws IOException {

Map<String, byte[]> res = new HashMap<String, byte[]>();

ZipInputStream zip = new ZipInputStream(stream);

ZipEntry ze;

while ((ze = zip.getNextEntry()) != null) {

int size;

byte[] buffer = new byte[2048];

ByteArrayOutputStream bytes = new ByteArrayOutputStream();

BufferedOutputStream bos = new BufferedOutputStream(bytes, buffer.length);

while ((size = zip.read(buffer, 0, buffer.length)) != -1) {

bos.write(buffer, 0, size);

}

bos.flush();

bos.close();

res.put(ze.getName(), bytes.toByteArray());

zip.closeEntry();

}

zip.close();

return res;

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

• (https://snyk.io/research/zip-slip-vulnerability)