Potential rule: path traversal when extracting zip archives

[gcmurphy]

It would be fairly typical to include the file path from the zip file when extracting it's contents to disk
like in this:

import (
	"archive/zip"
	"io"
	"os"
	"path/filepath"
	"strings"
)

func unzip(archive, target string) error {
	reader, err := zip.OpenReader(archive)
	if err != nil {
		return err
	}

	if err := os.MkdirAll(target, 0755); err != nil {
		return err
	}

	for _, file := range reader.File {
		path := filepath.Join(target, file.Name)
		if file.FileInfo().IsDir() {
			os.MkdirAll(path, file.Mode())
			continue
		}

		fileReader, err := file.Open()
		if err != nil {
			return err
		}
		defer fileReader.Close()

		targetFile, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
		if err != nil {
			return err
		}
		defer targetFile.Close()

		if _, err := io.Copy(targetFile, fileReader); err != nil {
			return err
		}
	}

	return nil
}

(original source)

It could be possible to create a zip archive with: ../../../../../some_file to achieve path traversal here.
We should investigate whether this could be detected. I think if we detect filepath.Join inclusive of zip.File type, without sanitisation, and the use of that identifier in a write operation you could get a fairly high confidence here.

[hansmi]

If it can be reasonably detected it's a good idea. The same verification can be applied to archive/tar.