Zip4J and Zip Slip vulnerability

Question

Zip4J is listed as vulnerable for Zip Slip. They claim that Zip4J 1.3.3 has the fix. However the JAR we download from their site is empty and has no classes.

Did anyone manage to get the 1.3.3 version? Any other alternative for a Zip utility that supports encrypted zips? Have mailed the Zip4J developer, but checking here as well to see how everyone is handling it.

score 1 · Answer 1 · answered May 18 '19 at 09:01

1

Zip4j 1.3.3 with Zip slip fix is now available on Maven Repository

answered May 18 '19 at 09:01

Srikanth Reddy Lingala

1,946
14
20

score 0 · Accepted Answer · answered Nov 25 '18 at 08:10

0

I noticed there is a problem with the jar files from their own website at http://www.lingala.net/zip4j/download.php

But when I downloaded it from https://mvnrepository.com/artifact/net.lingala.zip4j/zip4j/1.3.2 , it is working perfectly.

answered Nov 25 '18 at 08:10

Wilson

1,259
11
17

1

Thanks Wilson. I actually rebuilt the JARs from the source code on github. The mvnrepo is a much better option. – Harippriya Nov 26 '18 at 03:46

score 0 · Answer 3 · answered Feb 24 '23 at 07:43

In case you have encountered ZipSlip vulnerability in your code which supports zip extraction & are searching from fix,

Below solution from Google helped me handle this exploitation(The key is to check for the canonicalPath of the file, it must start with your desired destination path in positive case) :

val file = File("$destinationFilePath/$filePath")
if (file.canonicalPath.startsWith(File(destinationFilePath).canonicalPath).not()) {
         logger.get().warn(TAG, "Malicious file detected, skipping extracting file ${file.name}")
         return null
 }

Google reference link: https://developer.android.com/topic/security/risks/zip-path-traversal#mitigations

(In my case I was using 7-Zip-JBinding-4Android for zip extraction/compression)

Zip4J and Zip Slip vulnerability

3 Answers3