Skip to content

fix(resourceinfo): reject manifest paths escaping the destination#23

Open
Rakdos8 wants to merge 1 commit into
carbonengine:mainfrom
Rakdos8:fix/zip-slip-path-containment
Open

fix(resourceinfo): reject manifest paths escaping the destination#23
Rakdos8 wants to merge 1 commit into
carbonengine:mainfrom
Rakdos8:fix/zip-slip-path-containment

Conversation

@Rakdos8
Copy link
Copy Markdown

@Rakdos8 Rakdos8 commented May 15, 2026

Summary

Closes a zip-slip / path-traversal arbitrary file write in the resource
unpack path.

Problem

m_relativePath comes straight from the manifest and was joined onto
basePath and written (5 Put* sites) with no containment check. A
manifest entry such as ../../x or an absolute path wrote files anywhere
on disk.

Fix

Add a file-local IsPathWithinBase helper (weakly_canonical +
lexically_relative, with a lexical-normalise fallback) and guard every
write site, returning the existing MALFORMED_RESOURCE_INPUT result when
the target escapes basePath.

Type

Security — path traversal / arbitrary file write (Critical).

Testing

Manual review; legitimate relative paths resolve within base and are
unaffected; ../absolute escapes are now refused.

@Rakdos8
fix(resourceinfo): reject manifest paths escaping the destination
39d576e 
m_relativePath comes straight from the manifest and was joined onto
basePath and written with no containment check, so an entry like
'../../x' (zip-slip) wrote files anywhere on disk. Add a containment
check (weakly_canonical + lexically_relative, lexical fallback) and
refuse any Put* whose target escapes basePath.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Rakdos8