Access Control: Zip Slip via File Upload¶

Identifier: file_upload_zip_slip

Scanner(s) Support¶

Description¶

Zip Slip (CWE-22 via archive extraction) occurs when an application extracts an attacker-supplied archive without sanitising entry paths. A crafted ZIP / tar entry named ../escape_canary_<uuid>.txt will escape the extraction root if the extractor uses naive os.path.join. Variants include symlink-in-archive, nested archives, and ZIP bombs.

How we test: For each detected upload endpoint that accepts an archive (detected from filename heuristics and the recorded request's Content-Type), we submit a tiny archive whose entries are sentinel-suffixed (escape_canary_<uuid>) so they cannot collide with real customer paths. We test relative traversal entries, symlink-in-archive, nested archive variants, and a ZIP bomb capped at 5x compression ratio and 1 MiB on the wire. Confirmation is read-back only: we GET the resolved canary path and assert the server returns our exact canary content. We never overwrite cron paths, systemd units, or any real-looking filename.

Every probe emits a context.info event with the raw multipart request and the retrieval response as attachments.

References:

• https://snyk.io/research/zip-slip-vulnerability
• https://cwe.mitre.org/data/definitions/22.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  file_upload_zip_slip:
    skip: false

Reference¶

skip¶

Type : boolean

Skip the test if true.