fix: arbitrary file access during archive extraction filepath

[ptrgits]

rudder-server/router/batchrouter/asyncdestinationmanager/bing-ads/audience/util.go

Lines 251 to 283 in 6f87119

	for _, f := range r.File {
	// Open each file in the zip archive
	rc, err := f.Open()
	if err != nil {
	return nil, err
	}
	defer rc.Close()
	// Create the corresponding file in the target directory
	path := filepath.Join(targetDir, f.Name)
	if f.FileInfo().IsDir() {
	// Create directories if the file is a directory
	err = os.MkdirAll(path, f.Mode())
	if err != nil {
	return nil, err
	}
	} else {
	// Create the file and copy the contents
	file, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
	if err != nil {
	return nil, err
	}
	defer file.Close()
	_, err = io.Copy(file, rc)
	if err != nil {
	return nil, err
	}
	// Append the file path to the list
	filePaths = append(filePaths, path)
	}
	}

fix the "Zip Slip" vulnerability, we need to ensure that the output path constructed from each archive entry does not escape the intended target directory. The best way to do this is to:

1. Clean the entry name using filepath.Clean.
2. Ensure the resulting path is not absolute and does not contain any .. elements that would traverse outside the target directory.
3. After joining the cleaned entry name to the target directory, check that the resulting path is still within the target directory (using filepath.Rel or by comparing the prefix).
4. Only proceed with file system operations if the path is safe.

The changes should be made in the unzip function in router/batchrouter/asyncdestinationmanager/bing-ads/audience/util.go, specifically around the construction and use of the path variable. We will also need to add a helper function to check that the final path is within the target directory.

Extracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths. zip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (..). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.

References

Zip Slip Vulnerability
Path Traversal
CWE-22

Security

• The code changed/added as part of this pull request won't create any security issues with how the software is being used.

[contributor-support]

Thank you @ptrgits for contributing this PR.
Please sign the Contributor License Agreement (CLA) before merging.

[github-actions]

This PR is considered to be stale. It has been open 20 days with no further activity thus it is going to be closed in 7 days. To avoid such a case please consider removing the stale label manually or add a comment to the PR.