Bug 62502

Summary: Unzip allowFilesToEscapeDest=false don't check for relative paths in some cases (../../../)
Product: Ant Reporter: Oliver <Oliver.Warz>
Component: Core tasksAssignee: Ant Notifications List <notifications>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 1.10.4   
Target Milestone: 1.10.5   
Hardware: PC   
OS: All   

Description Oliver 2018-06-28 12:30:09 UTC 
Can you please check the change for unzip/unjar/untar again, if the current behavior is expected.

<unzip>, <unjar> and <untar> will no longer extract entries whose
   names would make the created files be placed outside of the
   destination directory anymore by default. A new attribute
   allowFilesToEscapeDest can be used to override the behavior.

It seems that for some special cases, multiple relative paths are extracted to a directory outside of the destination although allowFilesToEscapeDest is set to false.

reproduceable with:     https://github.com/snyk/zip-slip-vulnerability/blob/master/archives/zip-slip-win.zip    (Snyk Test files)
not reproduceable with: https://github.com/apache/ant/blob/e56e54565804991c62ec76dad385d2bdda8972a7/src/tests/antunit/taskdefs/zip/direscape.zip (Ant Testcase)

Tested with Ant 1.10.4 and 1.9.12.
Java(TM) SE Runtime Environment (build 1.8.0_172-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.172-b11, mixed mode)

build.xml
<?xml version="1.0" encoding="UTF-8"?>
<project name="vis_installer" default="main">
    <target name="main">
		<unzip dest="C:/test/dest/" src="C:/test/zip-slip-win.zip" allowFilesToEscapeDest="false"/>
	</target>    
</project> 

ant -d build.xml
Apache Ant(TM) version 1.10.4 compiled on June 19 2018
...
main:
parsing buildfile jar:file:/C:/test/apache-ant-1.10.4/lib/ant.jar!/org/apache/tools/ant/antlib.xml with URI = jar:file:/C:/test/apache-ant-1.10.4/lib/ant.jar!/org/apache/tools/ant/antlib.xml from a zip file
    [unzip] Expanding: C:\test\zip-slip-win.zip into C:\test\dest
    [unzip] extracting good.txt
    [unzip] expanding good.txt to C:\test\dest\good.txt
    [unzip] extracting ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Temp\evil.txt
    [unzip] expanding ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Temp\evil.txt to C:\test\dest\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Temp\evil.txt
    [unzip] expand complete

BUILD SUCCESSFUL
Total time: 0 seconds

Destination is c:\test\dest
File is extracted to c:\Temp\evil.txt


Structure listed by 7-Zip of zip-slip-win.zip (problem testcase):
Path = \test\zip-slip-win.zip
Type = zip
Physical Size = 547

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2018-04-15 21:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Temp\evil.txt
------------------- ----- ------------ ------------  ------------------------
2018-04-15 22:04:42                 39           39  2 files


Structure listed by 7-Zip for the working testcase:

Path = \test\direscape.zip
Type = zip
Physical Size = 332

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2018-04-21 18:52:07 D....            0            0  ..\testinput
2018-04-21 18:52:07 .....            0            0  ..\testinput\a
------------------- ----- ------------ ------------  ------------------------
2018-04-21 18:52:07                  0            0  1 files, 1 folders
Comment 1 Stefan Bodewig 2018-06-28 13:25:13 UTC 
I can reproduce this on a Linux box as well, thank you for the heads up!
Comment 2 Stefan Bodewig 2018-06-28 13:49:15 UTC 
My fault, sorry for that. We are currently discussing how to fix it, for context see https://lists.apache.org/thread.html/ed2b2068699fae5c84c8772fca6b854d43ec7e9506c292b3af22da46@%3Cdev.ant.apache.org%3E
Comment 3 Stefan Bodewig 2018-07-03 16:37:17 UTC 
Thanks, it is supposed ot be fixed in both branches now. It would be good if you could build Ant from master and confirm it also works on Windows as expected.
Comment 4 Oliver 2018-07-03 20:00:58 UTC 
(In reply to Stefan Bodewig from comment #3)
> Thanks, it is supposed ot be fixed in both branches now. It would be good if
> you could build Ant from master and confirm it also works on Windows as
> expected.

I did a minimal test for unzip/untar/unjar and allowFilesToEscapeDest="false" worked as expected on Windows 10.
Thanks for the quick reply and the great build tool.

ant -d
Apache Ant(TM) version 1.10.5alpha compiled on July 3 2018
...
    [unzip] Expanding: C:\test\zip-slip-win.zip into C:\test\dest
    [unzip] extracting good.txt
    [unzip] expanding good.txt to C:\test\dest\good.txt
    [unzip] extracting ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Temp\evil.txt
    [unzip] skipping ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Temp\evil.txt as its target C:\Temp\evil.txt is outside of C:\test\dest.
    [unzip] expand complete

BUILD SUCCESSFUL
Total time: 0 seconds
Comment 5 Falko Modler 2018-12-09 22:22:16 UTC 
On Windows 10, this fix slows down the unzip task considerably - actually threefold in a specific case (JBoss EAP 6.4 distribution zipfile).

I suppose this is caused by getCanonicalPath().

I will create a new ticket for this.