Test symlinks

reimic · reimic · commit 09054fa407d9 · 2024-03-28T21:23:18.000+01:00
diff --git a/src/WordPress/Zip/ZipException.php b/src/WordPress/Zip/ZipException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace WordPress\Zip;
+
+use Exception;
+
+class ZipException extends Exception {}
diff --git a/src/WordPress/Zip/functions.php b/src/WordPress/Zip/functions.php
@@ -14,8 +14,14 @@ function zip_extract_to( $fp, $to_path ) {
 			continue;
 		}
 
+		// prevent zip slip -> using relative path to access otherwise inaccessible files
 		if ( false !== strpos( $entry->path ,'..') ) {
-			continue;
+			throw new ZipException("Relative paths in zips are not allowed.");
+		}
+
+		// prevent zip with symlinks -> using a symbolic link to access otherwise inaccessible files
+		if ( is_link( $entry->path ) ) {
+			throw new ZipException("Semantic links in zips are not allowed.");
 		}
 
 		$path   = Path::canonicalize( $to_path . '/' . $entry->path );
diff --git a/tests/unit/zip/ZipFunctionsTest.php b/tests/unit/zip/ZipFunctionsTest.php
@@ -3,17 +3,25 @@
 namespace unit\zip;
 
 use PHPUnitTestCase;
-use Symfony\Component\Filesystem\Path;
+use WordPress\Zip\ZipException;
 use function WordPress\Zip\zip_extract_to;
 
 class ZipFunctionsTest extends PHPUnitTestCase {
-	public function testIsImmuneToZipSlipVulnerability() {
+	public function testThrowsExceptionWhenZipContainsFilesWithRelativePaths() {
 		// zipped file named: "../../../../../../../../tmp/zip-slip-test.txt"
 		$zip = __DIR__ . '/resources/zip-slip-test.zip';
 
-		zip_extract_to( fopen( $zip, 'rb' ), dirname( $zip ) );
+		self::expectException(ZipException::class);
+		self::expectExceptionMessage("Relative paths in zips are not allowed.");
+		zip_extract_to(fopen($zip, 'rb'), dirname($zip));
+	}
+
+	public function testThrowsExceptionWhenZipContainsFilesWithSymlinks() {
+		// zipped semantic link
+		$zip = __DIR__ . '/resources/zip-symlinks-test.zip';
 
-		$slipped_file = Path::canonicalize(__DIR__ . "../../../../../../../../tmp/zip-slip-test.txt");
-		self::assertFileDoesNotExist( $slipped_file );
+		self::expectException(ZipException::class);
+		self::expectExceptionMessage("Relative paths in zips are not allowed.");
+		zip_extract_to(fopen($zip, 'rb'), dirname($zip));
 	}
 }
diff --git a/tests/unit/zip/resources/zip-symlinks-test.zip b/tests/unit/zip/resources/zip-symlinks-test.zip

Original file line number	Diff line number	Diff line change
`@@ -14,8 +14,14 @@ function zip_extract_to( $fp, $to_path ) {`
`14`	`14`	`continue;`
`15`	`15`	`}`
`16`	`16`
	`17`	`+ // prevent zip slip -> using relative path to access otherwise inaccessible files`
`17`	`18`	`if ( false !== strpos( $entry->path ,'..') ) {`
`18`		`- continue;`
	`19`	`+ throw new ZipException("Relative paths in zips are not allowed.");`
	`20`	`+ }`
	`21`	`+`
	`22`	`+ // prevent zip with symlinks -> using a symbolic link to access otherwise inaccessible files`
	`23`	`+ if ( is_link( $entry->path ) ) {`
	`24`	`+ throw new ZipException("Semantic links in zips are not allowed.");`
`19`	`25`	`}`
`20`	`26`
`21`	`27`	`$path = Path::canonicalize( $to_path . '/' . $entry->path );`