Validate symlink targets during ZIP extraction to prevent path traversal

rm335 · rm335 · commit a6e9b044390a · 2026-03-12T17:01:44.000+01:00
diff --git a/Sources/Private/EmbeddedLibraries/ZipFoundation/Archive+Reading.swift b/Sources/Private/EmbeddedLibraries/ZipFoundation/Archive+Reading.swift
@@ -26,7 +26,8 @@ extension Archive {
     to url: URL,
     bufferSize: Int = defaultReadChunkSize,
     skipCRC32: Bool = false,
-    progress: Progress? = nil
+    progress: Progress? = nil,
+    allowedDestination: URL? = nil
   ) throws -> CRC32 {
     guard bufferSize > 0 else {
       throw ArchiveError.invalidBufferSize
@@ -71,6 +72,22 @@ extension Archive {
       }
       let consumer = { (data: Data) in
         guard let linkPath = String(data: data, encoding: .utf8) else { throw ArchiveError.invalidEntryPath }
+        // Validate that the symlink target resolves within the allowed destination directory.
+        // Without this check, a malicious ZIP could create symlinks pointing to arbitrary system files.
+        if let allowedDestination = allowedDestination {
+          let resolvedTarget: URL
+          if linkPath.hasPrefix("/") {
+            resolvedTarget = URL(fileURLWithPath: linkPath).standardized
+          } else {
+            resolvedTarget = url.deletingLastPathComponent().appendingPathComponent(linkPath).standardized
+          }
+          guard resolvedTarget.isContained(in: allowedDestination) else {
+            throw CocoaError(
+              .fileReadInvalidFileName,
+              userInfo: [NSFilePathErrorKey: resolvedTarget.path]
+            )
+          }
+        }
         try fileManager.createParentDirectoryStructure(for: url)
         try fileManager.createSymbolicLink(atPath: url.path, withDestinationPath: linkPath)
       }
diff --git a/Sources/Private/EmbeddedLibraries/ZipFoundation/FileManager+ZIP.swift b/Sources/Private/EmbeddedLibraries/ZipFoundation/FileManager+ZIP.swift
@@ -251,9 +251,15 @@ extension FileManager {
       if let progress {
         let entryProgress = archive.makeProgressForReading(entry)
         progress.addChild(entryProgress, withPendingUnitCount: entryProgress.totalUnitCount)
-        crc32 = try archive.extract(entry, to: entryURL, skipCRC32: skipCRC32, progress: entryProgress)
+        crc32 = try archive.extract(
+          entry,
+          to: entryURL,
+          skipCRC32: skipCRC32,
+          progress: entryProgress,
+          allowedDestination: destinationURL
+        )
       } else {
-        crc32 = try archive.extract(entry, to: entryURL, skipCRC32: skipCRC32)
+        crc32 = try archive.extract(entry, to: entryURL, skipCRC32: skipCRC32, allowedDestination: destinationURL)
       }
 
       func verifyChecksumIfNecessary() throws {
