Fix CVE-2018-1000544 symlink path traversal

bdewater · bdewater · commit d68fbd2eb75d · 2018-07-01T16:45:06.000-04:00
Not sure if the exception is the right way to go
diff --git a/lib/zip/entry.rb b/lib/zip/entry.rb
@@ -154,6 +154,9 @@ def extract(dest_path = nil, &block)
       elsif @name.squeeze('/') =~ /\.{2}(?:\/|\z)/
         puts "WARNING: skipped \"../\" path component(s) in #{@name}"
         return self
+      elsif symlink? && get_input_stream.read =~ %r{../..}
+        puts "WARNING: skipped \"#{get_input_stream.read}\" symlink path in #{@name}"
+        return self
       end
 
       dest_path ||= @name
diff --git a/test/data/symlink.zip b/test/data/symlink.zip
diff --git a/test/entry_test.rb b/test/entry_test.rb
@@ -177,4 +177,14 @@ def test_entry_name_with_absolute_path_extract_when_given_different_path
 
     assert File.exist?("#{path}/tmp/file.txt")
   end
+
+  def test_entry_name_with_relative_symlink
+    assert_raises Errno::ENOENT do
+      Zip::File.open('test/data/symlink.zip') do |zip_file|
+        zip_file.each do |entry|
+          entry.extract
+        end
+      end
+    end
+  end
 end
