Insecure ZIP Archive Extraction
Description
Insecure ZIP archive extraction using adm-zip can result in arbitrary path overwrite and can result in code injection. This is due to improper limitation of a pathname to a restricted directory ('Path Traversal').
Examples
Insecure Code
javascript
const zip = new AdmZip(require('path').join(__dirname, 'example.zip')); zip.extractAllTo(/* directory */ './', true);Secure Code
javascript
const zip = new AdmZip(require('path').join(__dirname, 'example.zip')); zip.extractAllTo(/* directory */ './extracted', true); const fs = require('fs'); const path = require('path'); fs.createWriteStream(path.join('./extracted', path.basename('example.txt')))Remediation
Use $FS.createWriteStream($PATH.join(..., $PATH.basename($FILENAME,...))) or $FS.writeFile($PATH.join(..., $PATH.basename($FILENAME,...))) to prevent path traversal attacks.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0416 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-22 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Path Traversal, ZIP Archive Extraction |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |