Fix CVE-2018-1000544 symlink path traversal

Not sure if the exception is the right way to go
rubyzip · Jul 1, 2018 · 472acab · 472acab
1 parent f6e76d6
commit 472acab
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 0 deletions.
diff --git a/lib/zip/entry.rb b/lib/zip/entry.rb
@@ -154,6 +154,9 @@ def extract(dest_path = nil, &block)
       elsif @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
         puts "WARNING: skipped \"../\" path component(s) in #{@name}"
         return self
+      elsif ftype == :symlink && get_input_stream.read =~ %r{../..}
+        puts "WARNING: skipped \"#{get_input_stream.read}\" symlink path in #{@name}"
+        return self
       end
 
       dest_path ||= @name

diff --git a/test/data/symlink.zip b/test/data/symlink.zip
diff --git a/test/entry_test.rb b/test/entry_test.rb
@@ -177,4 +177,14 @@ def test_entry_name_with_absolute_path_extract_when_given_different_path
 
     assert File.exist?("#{path}/tmp/file.txt")
   end
+
+  def test_entry_name_with_relative_symlink
+    assert_raises Errno::ENOENT do
+      Zip::File.open('test/data/symlink.zip') do |zip_file|
+        zip_file.each do |entry|
+          entry.extract
+        end
+      end
+    end
+  end
 end