DTF vulnerable to "Zip Slip"
- As a setup developer I can use DTF to extract user provided archives to isk without concern of overwriting files outside the target folder.
A security vulnerability was reported where a malicious archive (.cab or .zip) file crafted to include traversal paths in the filenames of the archived files processed by DTF could overwrite files unexpectedly. Consider the following code using DTF:
This could attempt to overwrite a Windows system file if
an archived file with the name
attack vector is known as Zip Slip.
The fix is to ensure that files being decompressed to disk never write
to a folder outside of the specified target folder. An
exception will be thrown when a malicious file is encountered.
This is a breaking change to DTF methods that decompress files to disk.
There are methods in DTF to decompress archived files into memory. These methods will not be impacted by the fix to minimize the backwards compatibility impact.