Query module ZipSlip

name
Arbitrary file write during archive extraction (“Zip Slip”)
description
Extracting files from a malicious archive without validating that the destination file path is within the destination directory can cause files outside the destination directory to be overwritten.
kind
path-problem
id
java/zipslip
problem.severity
error
precision
high
tags
security external/cwe/cwe-022

Imports

DataFlow
Guards
PathGraph

Provides the query predicates needed to include a graph in a path-problem query.

SSA

Provides classes and predicates for SSA representation (Static Single Assignment form).

TaintTracking

Provides classes for performing local (intra-procedural) and global (inter-procedural) taint-tracking analyses.

java

Provides all default Java QL imports.

Predicates

filePathStep

Holds if n1 to n2 is a dataflow step that converts between String, File, and Path.

fileTaintStep
localFileValueStep
localFileValueStepPlus
validateFilePath

Holds if check is a guard that checks whether var is a file path with a specific prefix when put in canonical form, thus guarding against ZipSlip.

validationMethod

Holds if m validates its argth parameter.

Classes

ArchiveEntryNameMethod

A method that returns the name of an archive entry.

WrittenFileName

An expression that will be treated as the destination of a write.

ZipSlipConfiguration