Insecure ZIP Archive Extraction
Description
This application is extracting ZIP archives without sanitizing paths or writing files to a dedicated extraction directory, allowing attackers to overwrite sensitive files or inject malicious code by manipulating ZIP archive contents.
Examples
Insecure Code
javascript
fs.createReadStream(zipPath).pipe(unzipper.Parse()).on('entry', function(entry) { fs.createWriteStream(entry.path); })Secure Code
javascript
const directory = 'assets/zip/extracted/'; fs.createReadStream(zipPath).pipe(unzipper.Parse()).on('entry', function(entry) { const filename = path.basename(entry.path); fs.createWriteStream(path.join(directory, filename)); })Remediation
Sanitize all paths from ZIP archives before writing extracted files using path.basename and path.join. Write extracted files only to a dedicated extraction directory, not the global filesystem. Limit extracts to allowed file types.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0422 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-22 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Path Traversal, ZIP Archive Extraction |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |