Skip to content

Fix Zip Slip vulnerability in JAR extraction #453

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix Zip Slip vulnerability in JAR extraction #453

wants to merge 2 commits into from

Conversation

Copilot
Copy link

@Copilot Copilot AI commented Oct 5, 2025
edited
Loading

Summary

Fixes a Zip Slip vulnerability in JarUtil.extract() that could allow arbitrary file writes outside the intended extraction directory when processing malicious JAR files.

Vulnerability Details

The Zip Slip vulnerability is a critical security issue that occurs during archive extraction when path traversal sequences in entry names are not properly validated. An attacker could craft a malicious JAR file with entries like ../../etc/passwd or subdir/../../evil.txt to write files outside the intended extraction directory, potentially overwriting system files or placing malicious content in sensitive locations.

Root Cause

The original code attempted to validate paths but did not normalize them before the security check:

Path f = destDir.resolve(file.getName());
if (!f.startsWith(toPath)) {
    throw new IOException("Bad zip entry");
}

This allowed paths containing .. segments to bypass validation because resolve() does not automatically normalize the path.

Changes Made

1. Normalize resolved paths before validation

Added .normalize() to canonicalize the resolved path before the security check:

Path f = destDir.resolve(file.getName()).normalize();

This ensures all .. and . path segments are resolved, making the startsWith() check effective at detecting path traversal attempts.

2. Ensure parent directories exist

Added parent directory creation before writing files:

Path parent = f.getParent();
if (parent != null) {
    Files.createDirectories(parent);
}

This ensures files can be extracted even when their parent directories are not explicitly listed as separate entries in the JAR.

Testing

Added comprehensive test coverage in JarUtilTest.java:

  • testZipSlipProtection: Verifies that simple path traversal attempts (../../evil.txt) are properly blocked
  • testZipSlipWithComplexPath: Verifies that complex path traversal attempts (subdir/../../evil.txt) are properly blocked
  • testNormalExtraction: Ensures legitimate JAR extraction continues to work correctly with files and subdirectories

All tests pass successfully, confirming the vulnerability is fixed without breaking existing functionality.

Impact

This is a minimal, surgical fix that:

  • ✅ Prevents arbitrary file writes outside the extraction directory
  • ✅ Maintains backward compatibility with legitimate JAR files
  • ✅ Adds no new dependencies
  • ✅ Includes test coverage to prevent regression

Resolves #1 (code scanning alert for Zip Slip vulnerability)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • repo.jenkins-ci.org
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.11/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.11/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.11 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.11/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/plexus-compiler/plexus-compiler/plexus-compiler-its/target/it/MCOMPILER-346-mre org.codehaus.plexus.classworlds.launcher.Launcher -B -D maven.repo.local=/home/REDACTED/work/plexus-compiler/plexus-compiler/plexus-compiler-its/target/local-repo -s /home/REDACTED/work/plexus-compiler/plexus-compiler/plexus-compiler-its/target/it/interpolated-settings.xml clean compile (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Fix code scanning alert - Arbitrary file write during archive extraction ("Zip Slip")</issue_title>
<issue_description>

Tracking issue for:

Comments on the Issue (you are @copilot in this section)

Fixes #322

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@Copilot Copilot AI changed the title [WIP] Fix code scanning alert - Arbitrary file write during archive extraction ("Zip Slip") Fix Zip Slip vulnerability in JAR extraction Oct 5, 2025
@Copilot Copilot AI requested a review from slachiewicz October 5, 2025 17:49
Copilot finished work on behalf of slachiewicz October 5, 2025 17:49
@slachiewicz slachiewicz marked this pull request as ready for review October 5, 2025 19:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slachiewicz slachiewicz Awaiting requested review from slachiewicz

Assignees

@slachiewicz slachiewicz

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix code scanning alert - Arbitrary file write during archive extraction ("Zip Slip") Add a J2ObjC compiler
2 participants
@Copilot @slachiewicz