Headline
CVE-2023-46122: zip slip vulnerability · Issue #358 · sbt/io
sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip
allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorized_keys
. Within sbt’s main code, IO.unzip
is used in pullRemoteCache
task and Resolvers.remote
; however many projects use IO.unzip(...)
directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
xuwei-k opened this issue
Oct 15, 2023
· 1 comment · Fixed by #360
Closed
zip slip vulnerability #358
xuwei-k opened this issue
Oct 15, 2023
· 1 comment · Fixed by #360
Comments
- https://security.snyk.io/research/zip-slip-vulnerability
- https://github.com/snyk/zip-slip-vulnerability
How to fix? 🤔
change filter: NameFilter = AllPassFilter default param?
def unzip(
from: File,
toDirectory: File,
filter: NameFilter = AllPassFilter,
preserveLastModified: Boolean = true
): Set[File] =
fileInputStream(from)(in => unzipStream(in, toDirectory, filter, preserveLastModified))
def unzipURL(
from: URL,
toDirectory: File,
filter: NameFilter = AllPassFilter,
preserveLastModified: Boolean = true
): Set[File] =
urlInputStream(from)(in => unzipStream(in, toDirectory, filter, preserveLastModified))
def unzipStream(
from: InputStream,
toDirectory: File,
filter: NameFilter = AllPassFilter,
add explicit filter param in user code?
- https://github.com/sbt/sbt/blob/da41144f37c32cbc0a64e3a91b505ce568869166/main/src/main/scala/sbt/Resolvers.scala#L44
- https://github.com/sbt/sbt/blob/da41144f37c32cbc0a64e3a91b505ce568869166/main/src/main/scala/sbt/internal/RemoteCache.scala#L416
another solutions?
eed3si9n added a commit to eed3si9n/io that referenced this issue
Oct 22, 2023
Fixes sbt#358 Ref codehaus-plexus/plexus-archiver 87
**Problem** IO.unzip currently has zip-slip vulnerability, which can write arbitrary files on the machine using specially crafted zip archive that holds path traversal file names.
**Solution** This replicates the fix originally sent to plex-archiver by Snyk Team.
eed3si9n added a commit to eed3si9n/io that referenced this issue
Oct 22, 2023
Fixes sbt#358 Ref codehaus-plexus/plexus-archiver 87
**Problem** IO.unzip currently has zip-slip vulnerability, which can write arbitrary files on the machine using specially crafted zip archive that holds path traversal file names.
**Solution** This replicates the fix originally sent to plex-archiver by Snyk Team.
2 participants
Related news
Red Hat Security Advisory 2024-6536-03 - Red Hat AMQ Streams 2.5.2 is now available from the Red Hat Customer Portal. Issues addressed include bypass, denial of service, information leakage, and memory leak vulnerabilities.
### Impact Given specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. The follow is an example of a malicious entry: ``` +2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys ``` This would have a potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1 ### Patches The problem has been patched in https://github.com/sbt/io/pull/360 sbt 1.9.7 is available with the fix. ### Workarounds A workaround might be use some other library to unzip. ### References - https://github.com/snyk/zip-slip-vulnerability - https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680 - https://github.com/sbt/io/issues/358