Remove symlinks in zip files

[ImanSharaf]

I was checking this HackerOne report with a $29000 bounty and I found it very interesting. This is different than Zip Slip. In case of Zip Slip we can inject .. in the file path so we can extract our file in a wrong place. In this report, the attacker crafts a malicious symlink to /etc/passwd when the backend extracts it untar_zxf function only changes the permissions and extract the symlink as is, so the attacker was able to read the passwd file!
I believe we need an ASVS item to check for removal of symlinks in the zip files.

[elarlang]

This is interesting.

Is there any harm it can do to end user as well? I mean should application prevent uploading zip-files containing symlinks, or it is only necessary when application actually extracts files (from user) and processes their content.

[ImanSharaf]

If the user directly uploads a symlink that links to /etc/passwd the user's passwd file would be uploaded to the server. But if the app has a function to untar or unzip (for example, a Ruby app), and then the user is able to see the content of the uploaded zip or tar file, then the user will be able to see the server's passwd file. I believe on of the mitigations is to remove any symlinks when the app starts to extract a compressed file.

[csfreak92]

Interesting attack vector. Seems like a valid requirement to have. Does this mean it is sort of an RCE-level kind of threat the way this vulnerability works?

[ImanSharaf]

@csfreak92 It could lead to an RCE if the attacker would be able to fetch some sensitive secrets in the environment variables files or the source code.

[elarlang]

Well, played with that a bit. Now there is nice question - what is the actual defense?

Original proposal:

I believe we need an ASVS item to check for removal of symlinks in the zip files.

Options:

• removing only symlinks - like proposed, but It's not my favourite
• requirement do not allow to upload archives with symlinks at all
  • good: threat taken down in early stage and does not depend on configuration
  • bad: it requires inspecting the archive content on every file upload and may increase the risk for zip bombs
• require unpacking zip files without following symlinks or in sandboxed environment