From 8e78311d670ba70476fb46062c988849a82d1e02 Mon Sep 17 00:00:00 2001
From: Bart de Water <bartdewater@gmail.com>
Date: Sun, 1 Jul 2018 16:45:06 -0400
Subject: [PATCH] Fix CVE-2018-1000544 symlink path traversal

Not sure if the exception is the right way to go
---
 lib/zip/entry.rb      |   3 +++
 test/data/symlink.zip | Bin 0 -> 330 bytes
 test/entry_test.rb    |  10 ++++++++++
 3 files changed, 13 insertions(+)
 create mode 100644 test/data/symlink.zip

diff --git a/lib/zip/entry.rb b/lib/zip/entry.rb
index 37222a52..28d60091 100644
--- a/lib/zip/entry.rb
+++ b/lib/zip/entry.rb
@@ -154,6 +154,9 @@ def extract(dest_path = nil, &block)
       elsif @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
         puts "WARNING: skipped \"../\" path component(s) in #{@name}"
         return self
+      elsif symlink? && get_input_stream.read =~ %r{../..}
+        puts "WARNING: skipped \"#{get_input_stream.read}\" symlink path in #{@name}"
+        return self
       end
 
       dest_path ||= @name
diff --git a/test/data/symlink.zip b/test/data/symlink.zip
new file mode 100644
index 0000000000000000000000000000000000000000..e74ee19ab39d8e1e97d84522ff3209bda4ca1ad4
GIT binary patch
literal 330
zcmWIWW@h1H0D<W2b3Wf=y#0iLY!GH)kYOlDEXfEB;bdTb=cE)3!lf1542&#a8G+Iw
zKs9=L`pBpxw;%v+-rd-9K0qaKzza1`KP@vSRj;I?1Z;4Vwo<gMGlszd-i%Cg%(xsT
z0XOvRLJ$+;Ojd|9(VU2E5~h<7CM{_UfSQElK%kKz2Vxk>$_BEQ2?*x`>FFR20|3>Y
BIivsp

literal 0
HcmV?d00001

diff --git a/test/entry_test.rb b/test/entry_test.rb
index a75052e3..eaa9c0d9 100644
--- a/test/entry_test.rb
+++ b/test/entry_test.rb
@@ -177,4 +177,14 @@ def test_entry_name_with_absolute_path_extract_when_given_different_path
 
     assert File.exist?("#{path}/tmp/file.txt")
   end
+
+  def test_entry_name_with_relative_symlink
+    assert_raises Errno::ENOENT do
+      Zip::File.open('test/data/symlink.zip') do |zip_file|
+        zip_file.each do |entry|
+          entry.extract
+        end
+      end
+    end
+  end
 end