Path traversal bug in unzip.go in functions  extractTar and extractFile


**Impact:**

The latest version of arcat v1.3.1  has a path traversal vulnerability that allows the attacker to create or write to files outside the current directory for both .zip and .tar archives.

**How to reproduce:**

```
wget https://github.com/please-build/arcat/archive/refs/tags/v1.3.1.tar.gz 
tar -xzf v1.3.1.tar.gz
cd arcat-1.3.1/
go build -o arcat  main.go
# place pocpoc.zip in this directory
./arcat extract pocpoc.zip

# verify attack worked
cat ../poc/testtest.txt

rm -r ../poc/

# place pocpoc.tar in this directory
./arcat extract pocpoc.tar
# verify attack worked
cat ../poc/testtest.txt
````

**Root cause:**

The root cause is a missing sanitization function that prevents path traversal before reaching sink functions  ([os.OpenFile](https://github.com/please-build/arcat/blob/5a2a4314b26b96256f77df5a1a808462fbc6d954/unzip/unzip.go#L112) line 112) in extractTar and  ([os.OpenFile](https://github.com/please-build/arcat/blob/5a2a4314b26b96256f77df5a1a808462fbc6d954/unzip/unzip.go#L177) line 177) in extractFile.


**Proposed fix:**

I have created [PR](https://github.com/please-build/arcat/pull/41#issue-3861412833) for a proposed fix that ensures the extraction of archive files inside the intended directory.

**PoC image:** 
Extract `poc.zip` to obtain `pocpoc.tar` and  `pocpoc.zip`: [poc.zip](https://github.com/user-attachments/files/24890065/poc.zip)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Path traversal bug in unzip.go in functions extractTar and extractFile #42

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Path traversal bug in unzip.go in functions extractTar and extractFile #42

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions