Vulnerable to zip slip

It appears as decompress is vulnerable to archives containing files that hold path-traversal names such as ../../outside.txt.

As a PoC I have attached a .tar.gz-archive(slip.tar.gz) that will, when extracted, create a file in /tmp/slipped.txt. Use the example code to extract:

const decompress = require('decompress');

decompress('slip.tar.gz', 'dist').then(files => {
	console.log('done!');
});

Note that this will not work out-of-the-box with .zip-archives since yauzl will throw an exception if the entry’s filename contains “..”.

However, since this package also supports symlinks we can use that instead to bypass this limitation. But just adding a symlink to our desired target location won’t do the trick - since the archive’s files are being extracted asynchronous (index.js#44-73) we will end up in a race condition between extracting the symlink and the file referencing it.

By creating a directory and within that create a symlink to its’ parent directory. Continue with creating a symlink to / and a file with a name using a looped structure of all symlinks to the target. We end up with something like;

mkdir generic_dir
ln -s ../ generic_dir/symlink_to_parent_dir
ln -s / symlink_to_root
touch generic_dir/symlink_to_parent_dir/generic_dir/symlink_to_parent_dir/[...]/symlink_to_root/tmp/slipped_zip.txt

Adding this to an archive allows us to always win the race! Here’s a PoC (slip.zip), that when extracted will create a file in /tmp/slipped_zip.txt. Demonstrating how this also works for zip-archives using symlinks.