Skip to content

Potential fix for code scanning alert no. 1: Arbitrary file access during archive extraction ("Zip Slip")#1881

Closed
Quantumrunner wants to merge 1 commit into
masterfrom
bug/zipsecurityIssue
Closed

Potential fix for code scanning alert no. 1: Arbitrary file access during archive extraction ("Zip Slip")#1881
Quantumrunner wants to merge 1 commit into
masterfrom
bug/zipsecurityIssue

Conversation

@Quantumrunner

Copy link
Copy Markdown
Collaborator

Potential fix for https://github.com/NPBruce/valkyrie/security/code-scanning/1

General fix: for every archive-derived path used in file operations, normalize with Path.GetFullPath, and enforce containment under a trusted base directory before opening/creating files. Avoid string concatenation for paths; use Path.Combine.

Best targeted fix here (without changing functionality):

  1. In AssetsManager.LoadZipFile, sanitize split base paths derived from zip entries:
    • Build a trusted extraction base from reader.FullPath/reader.FileName.
    • Normalize candidate split base path with GetFullPath(Combine(base, ...)).
    • Require candidate to start with trusted base path (ordinal comparison); skip/log otherwise.
    • Store sanitized relative key (zip-style /) for archive.GetEntry(...).
  2. In BundleFile.ReadFiles, replace extractPath + file.fileName with safe Path.Combine, then GetFullPath + containment check against normalized extractPath.
  3. In BundleFile.CreateBlocksStream, normalize and validate the temp file path (path + ".temp") against the parent directory of path before creating FileStream.

No new dependencies are needed; existing System.IO APIs are sufficient.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…ring archive extraction ("Zip Slip")

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant