WiX Toolset

DTF vulnerable to "Zip Slip"

User stories

  • As a setup developer I can use DTF to extract user provided archives to isk without concern of overwriting files outside the target folder.

Proposal

A security vulnerability was reported where a malicious archive (.cab or .zip) file crafted to include traversal paths in the filenames of the archived files processed by DTF could overwrite files unexpectedly. Consider the following code using DTF:

new CabInfo(@"path\to\bad.cab").Unpack(@"C:\unpack");

This could attempt to overwrite a Windows system file if bad.cab contained an archived file with the name ..\Windows\System32\kernel32.dll. This attack vector is known as Zip Slip.

The fix is to ensure that files being decompressed to disk never write to a folder outside of the specified target folder. An InvalidDataException exception will be thrown when a malicious file is encountered.

Considerations

  • This is a breaking change to DTF methods that decompress files to disk.

  • There are methods in DTF to decompress archived files into memory. These methods will not be impacted by the fix to minimize the backwards compatibility impact.

See Also