Impact
MITM can enable Zip-Slip.
Vulnerability
Vulnerability 1: Publisher.java
There is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.
|
ZipInputStream zip = new ZipInputStream(npm.load("other", "ig-template.zip")); |
|
byte[] buffer = new byte[2048]; |
|
ZipEntry entry; |
|
while((entry = zip.getNextEntry())!=null) { |
|
String filename = Utilities.path(adHocTmpDir, entry.getName()); |
|
String dir = Utilities.getDirectoryForFile(filename); |
|
Utilities.createDirectory(dir); |
|
FileOutputStream output = new FileOutputStream(filename); |
|
int len = 0; |
|
while ((len = zip.read(buffer)) > 0) |
|
output.write(buffer, 0, len); |
|
output.close(); |
|
} |
Vulnerability 2: WebSourceProvider.java
There is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes.
|
try (ZipInputStream zis = new ZipInputStream(new ByteArrayInputStream(buf))) { |
|
ZipEntry zipEntry = zis.getNextEntry(); |
|
while (zipEntry != null) { |
|
Path newPath = Utilities.zipSlipProtect(zipEntry, target); |
|
Files.delete(newPath); |
|
zipEntry = zis.getNextEntry(); |
|
} |
|
zis.closeEntry(); |
|
} |
Vulnerability 3: ZipFetcher.java
This retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system.
|
try (ZipInputStream zis = new ZipInputStream(new ByteArrayInputStream(theZipFile))) { |
|
|
|
Map<String, FetchedFile> dirs = new HashMap<String, FetchedFile>(); |
|
while (true) { |
|
ZipEntry entry = zis.getNextEntry(); |
|
if (entry == null) { |
|
myLogger.logMessage("No more entries"); |
|
break; |
|
} |
|
|
|
String entryName = entry.getName(); |
|
myLogger.logMessage(String.format("Found entry: {}", entryName)); |
|
|
|
FetchedFile ff = new FetchedFile(entryName); |
|
ff.setPath(entryName); |
|
ff.setName(SimpleFetcher.fileTitle(entryName)); |
|
ff.setTime(entry.getTime()); |
|
if (entry.isDirectory()) { |
|
ff.setContentType("application/directory"); |
|
ff.setFolder(true); |
|
if (entryName.endsWith("/")) { |
|
entryName = entryName.substring(0, entryName.length() - 1); |
|
ff.setPath(entryName); |
|
} |
|
dirs.put(entryName, ff); |
|
|
|
// TODO: work this in |
|
// for (File fl : f.listFiles()) |
|
// ff.getFiles().add(fl.getCanonicalPath()); |
|
} else { |
|
ff.setFolder(false); |
|
if (entryName.endsWith("json")) { |
|
ff.setContentType("application/fhir+json"); |
|
} else if (entryName.endsWith("xml")) { |
|
ff.setContentType("application/fhir+xml"); |
|
} |
|
byte[] bytes = IOUtils.toByteArray(zis); |
|
ff.setSource(bytes); |
|
} |
|
if (entryName.contains("/")) |
|
dirs.get(entryName.substring(0, entryName.lastIndexOf("/"))).getFiles().add(entryName); |
|
|
|
myFiles.put(normalisePath(entryName), ff); |
|
} |
|
|
|
} catch (IOException e) { |
|
// should not happen |
|
throw new Error(e); |
|
} |
|
} |
Vulnerability 4: IGPack2NpmConvertor.java
The loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system.
|
private Map<String, byte[]> loadZip(InputStream stream) throws IOException { |
|
Map<String, byte[]> res = new HashMap<String, byte[]>(); |
|
ZipInputStream zip = new ZipInputStream(stream); |
|
ZipEntry ze; |
|
while ((ze = zip.getNextEntry()) != null) { |
|
int size; |
|
byte[] buffer = new byte[2048]; |
|
|
|
ByteArrayOutputStream bytes = new ByteArrayOutputStream(); |
|
BufferedOutputStream bos = new BufferedOutputStream(bytes, buffer.length); |
|
|
|
while ((size = zip.read(buffer, 0, buffer.length)) != -1) { |
|
bos.write(buffer, 0, size); |
|
} |
|
bos.flush(); |
|
bos.close(); |
|
res.put(ze.getName(), bytes.toByteArray()); |
|
|
|
zip.closeEntry(); |
|
} |
|
zip.close(); |
|
return res; |
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Impact
MITM can enable Zip-Slip.
Vulnerability
Vulnerability 1:
Publisher.javaThere is no validation that the zip file being unpacked has entries that are not maliciously writing outside of the intended destination directory.
fhir-ig-publisher/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/Publisher.java
Lines 3598 to 3610 in 87313e9
Vulnerability 2:
WebSourceProvider.javaThere is a check for malicious zip entries here, but it is not covered by test cases and could potentially be reverted in future changes.
fhir-ig-publisher/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/web/WebSourceProvider.java
Lines 104 to 112 in 87313e9
Vulnerability 3:
ZipFetcher.javaThis retains the path for Zip files in FetchedFile entries, which could later be used to output malicious entries to another compressed file or file system.
fhir-ig-publisher/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/ZipFetcher.java
Lines 57 to 106 in 87313e9
Vulnerability 4:
IGPack2NpmConvertor.javaThe loadZip method retains the path for entries in the zip file, which could later be used to output malicious entries to another compressed file or file system.
fhir-ig-publisher/org.hl7.fhir.publisher.core/src/main/java/org/hl7/fhir/igtools/publisher/IGPack2NpmConvertor.java
Lines 442 to 463 in 87313e9
Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References