Zip Slip Vulnerability Fix is not present in advertised nuget v 0.21.1 #308

New Issue

claunia · 2026-01-29T22:09:51Z

claunia commented

2026-01-29 22:09:51 +00:00

Originally created by @diaconesq on GitHub (Jun 28, 2018).

The Zip Slip vuln is fixed by #374 and should be included in v 0.21.0 as described here

However: I have decompiled versions 0.21.0 and 0.21.1 from Nuget.org (the .net 4.5 dll) and the fix is NOT there.

Decompiled Nuget code:

The PR for the fix:

Originally created by @diaconesq on GitHub (Jun 28, 2018). The Zip Slip vuln is fixed by #374 and should be included in v 0.21.0 as described [here](https://github.com/snyk/zip-slip-vulnerability) However: I have decompiled versions 0.21.0 and 0.21.1 from Nuget.org (the .net 4.5 dll) and the fix is NOT there. Decompiled Nuget code: ![image](https://user-images.githubusercontent.com/3482077/42028109-4af9f7aa-7ac3-11e8-98c1-eb96f64a6a3d.png) The PR for the fix: ![image](https://user-images.githubusercontent.com/3482077/42028306-cab37ae8-7ac3-11e8-986d-d09706c35448.png)

claunia closed this issue

2026-01-29 22:09:51 +00:00

claunia commented

2026-01-29 22:09:52 +00:00

@adamhathcock commented on GitHub (Jun 28, 2018):

You'll notice the classes you're referencing are two different classes.

The issue isn't that it's missing but incomplete. The implementation previously provided was for the Archive API and not the Reader API as you want. This should be fixed.

@adamhathcock commented on GitHub (Jun 28, 2018): You'll notice the classes you're referencing are two different classes. The issue isn't that it's missing but incomplete. The implementation previously provided was for the Archive API and not the Reader API as you want. This should be fixed.

Sign in to join this conversation.

Branches Tags

master

adam/master-release

adam/pooledmemorystream

adam/cleanup-streamextensions

release

copilot/fix-decompression-bomb-crash-bugs

copilot/dynamic-default-ringbuffer

copilot/support-7z-writer-in-csharp-10

copilot/fix-tar-entries-listing

copilot/fix-tar-archive-extension-hinting

copilot/fix-multiple-decompressors-crash

adam/more-7zip-writing

copilot/fix-non-seekable-stream-exception

adam/cli

adam/rework-7z-extraction

copilot/fix-7zip-opening-issue

copilot/fix-xzstream-non-seekable-streams

copilot/fix-archivefactory-openarchive-error

copilot/fix-compressed-tar-issue

copilot/sub-pr-1203

copilot/consolidate-readfully-readexact-logic

adam/make-nullable

copilot/fix-openentrystreamasync-memory-issue

adam/more-explode-async

copilot/fix-infinite-loop-rar-archive

adam/data-descriptor-fix

adam/fix-tests-with-proper-rewind

copilot/fix-data-descriptor-stream-bug

adam/lmza-investigation

adam/create-rar-async

adam/async-rar2

copilot/support-multi-threading-path

copilot/sub-pr-1132-again

adam/memory-perf

copilot/add-performance-benchmarking

copilot/sub-pr-1121

copilot/add-password-support-zip-files

copilot/add-so-optimized-zip-support

adam/rar-async-only

copilot/add-buffered-stream-async-read

copilot/sub-pr-1076

copilot/fix-decompression-exception

copilot/fix-archivefactory-issue

copilot/rationalize-sourcestream-volumes

adam/open-async

copilot/add-ace-archive-support

copilot/sub-pr-1040-again

adam/more-async-3

copilot/fix-tararchive-incomplete-iteration

adam/multi-threaded

copilot/sub-pr-1040

adam/awesome-copilot

copilot/fix-ziparchive-extraction-issue

copilot/fix-tararchive-open-crash

copilot/fix-tar-xz-file-reading-issue

copilot/setup-copilot-instructions

copilot/fix-decompression-performance-issue

copilot/convert-stream-access-to-async

adam/enable-agent

adam/async-deflate

adam/async-rar

adam/more-cleanup

adam/zstd

async-2

zstandard

net461-tests

dmg

async

build-netcore3

recycle-memory-stream

presentation

pax

netcore2

zip_encryption

dotnet-tool

tar_redux

native_zlib

Issue-197

system_buffers

TarNames

7zip_sfx

portable_crypto

WinRT

new_7zip

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/sharpcompress#308