[PR #374] [MERGED] fix: prevent extracting archived files outside of target path #990

New Issue

claunia · 2026-01-29T22:18:30Z

claunia commented

2026-01-29 22:18:30 +00:00

📋 Pull Request Information

Original PR: https://github.com/adamhathcock/sharpcompress/pull/374
Author: @odinn1984
Created: 5/2/2018
Status: ✅ Merged
Merged: 5/2/2018
Merged by: @adamhathcock

Base: master ← Head: feat/fail_on_outside_target_files

📝 Commits (1)

80ceb1c fix: prevent extracting archived files outside of target path

📊 Changes

3 files changed (+46 additions, -2 deletions)

View changed files

📝 src/SharpCompress/Archives/IArchiveEntryExtensions.cs (+19 -2)
📝 tests/SharpCompress.Test/Zip/ZipArchiveTests.cs (+27 -0)
➕ tests/TestArchives/Archives/Zip.Evil.zip (+0 -0)

📄 Description

This PR is meant to fix an arbitrary file write vulnerability, that can be
achieved using a specially crafted zip archive, that holds path traversal
filenames. When the filename gets concatenated to the target extraction
directory, the final path ends up outside of the target folder.

A sample malicious zip file named Zip.Evil.zip was used,
and when running the code below, resulted in the creation of C:/Temp/evil.txt
outside of the intended target directory.

There are various possible ways to avoid this issue, some include checking
for .. (dot dot) characters in the filename, but the best solution in our
opinion is to check if the final target filename, starts with the target
folder (after both are resolved to their absolute path).

Stay secure,
Snyk Team

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/adamhathcock/sharpcompress/pull/374 **Author:** [@odinn1984](https://github.com/odinn1984) **Created:** 5/2/2018 **Status:** ✅ Merged **Merged:** 5/2/2018 **Merged by:** [@adamhathcock](https://github.com/adamhathcock) **Base:** `master` ← **Head:** `feat/fail_on_outside_target_files` --- ### 📝 Commits (1) - [`80ceb1c`](https://github.com/adamhathcock/sharpcompress/commit/80ceb1c375fdb1b4ffba16528c99089e804ce61f) fix: prevent extracting archived files outside of target path ### 📊 Changes **3 files changed** (+46 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `src/SharpCompress/Archives/IArchiveEntryExtensions.cs` (+19 -2) 📝 `tests/SharpCompress.Test/Zip/ZipArchiveTests.cs` (+27 -0) ➕ `tests/TestArchives/Archives/Zip.Evil.zip` (+0 -0) </details> ### 📄 Description This PR is meant to fix an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive, that holds path traversal filenames. When the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder. A sample malicious zip file named Zip.Evil.zip was used, and when running the code below, resulted in the creation of C:/Temp/evil.txt outside of the intended target directory. There are various possible ways to avoid this issue, some include checking for .. (dot dot) characters in the filename, but the best solution in our opinion is to check if the final target filename, starts with the target folder (after both are resolved to their absolute path). Stay secure, Snyk Team --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

claunia added the pull-request label 2026-01-29 22:18:30 +00:00

claunia referenced this issue

2026-01-29 22:20:25 +00:00

[PR #990] [MERGED] Make all library exceptions inherit from SharpCompressException #1408

claunia referenced this issue

2026-01-29 22:20:26 +00:00

[PR #990] Make all library exceptions inherit from SharpCompressException #1411

Sign in to join this conversation.

Branches Tags

master

release

adam/merge-release-to-master

dependabot/nuget/xunit.v3-3.2.2

adam/more-explode-async

copilot/fix-infinite-loop-rar-archive

adam/data-descriptor-fix

adam/fix-tests-with-proper-rewind

copilot/fix-data-descriptor-stream-bug

adam/lmza-investigation

adam/create-rar-async

adam/async-rar2

copilot/support-multi-threading-path

copilot/sub-pr-1132-again

adam/memory-perf

copilot/add-performance-benchmarking

copilot/sub-pr-1121

copilot/add-password-support-zip-files

copilot/add-so-optimized-zip-support

adam/rar-async-only

copilot/add-buffered-stream-async-read

copilot/sub-pr-1076

copilot/fix-decompression-exception

copilot/fix-archivefactory-issue

copilot/rationalize-sourcestream-volumes

adam/open-async

copilot/add-ace-archive-support

copilot/sub-pr-1040-again

adam/more-async-3

copilot/fix-tararchive-incomplete-iteration

adam/multi-threaded

copilot/sub-pr-1040

adam/awesome-copilot

copilot/fix-ziparchive-extraction-issue

copilot/fix-tararchive-open-crash

copilot/fix-tar-xz-file-reading-issue

copilot/setup-copilot-instructions

copilot/fix-decompression-performance-issue

copilot/convert-stream-access-to-async

adam/enable-agent

adam/async-deflate

adam/async-rar

adam/more-cleanup

adam/zstd

async-2

zstandard

net461-tests

dmg

async

build-netcore3

recycle-memory-stream

presentation

pax

netcore2

zip_encryption

dotnet-tool

tar_redux

native_zlib

Issue-197

system_buffers

TarNames

7zip_sfx

portable_crypto

WinRT

new_7zip

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/sharpcompress#990