ZIP path traversal risk in BundleImportService #168

New Issue

Closed

opened 2026-04-10 16:03:57 +02:00 by shahondin1624 · 0 comments

shahondin1624 commented 2026-04-10 16:03:57 +02:00

Owner

Copy Link

Copy Source

Severity: MEDIUM

Location

lib/Service/BundleImportService.php:325

Description

When extracting ZIP files, $zip->getNameIndex($i) returns the filename as stored in the ZIP, which could contain path traversal sequences (e.g., ../../etc/passwd). While basename() is used to strip directories (line 335), the basename() call happens after the hidden file checks but the content is read from the original index, not the basename. The actual risk is low because the content is only used as CSV data, not written to disk.

Recommendation

Add explicit path traversal validation: reject entries containing .. or absolute paths.

## Severity: MEDIUM ## Location `lib/Service/BundleImportService.php:325` ## Description When extracting ZIP files, `$zip->getNameIndex($i)` returns the filename as stored in the ZIP, which could contain path traversal sequences (e.g., `../../etc/passwd`). While `basename()` is used to strip directories (line 335), the `basename()` call happens after the hidden file checks but the content is read from the original index, not the basename. The actual risk is low because the content is only used as CSV data, not written to disk. ## Recommendation Add explicit path traversal validation: reject entries containing `..` or absolute paths.

shahondin1624 added the backendsecuritypriority:medium labels 2026-04-10 16:03:57 +02:00

shahondin1624 referenced this issue from a commit 2026-04-10 16:20:30 +02:00

fix: reject ZIP entries with path traversal sequences (Closes #168)

shahondin1624 referenced a pull request that will close this issue 2026-04-10 16:20:36 +02:00

fix: reject ZIP entries with path traversal sequences (Closes #168) #181

shahondin1624 closed this issue 2026-04-10 16:20:41 +02:00

shahondin1624 referenced this issue from a commit 2026-04-10 16:20:41 +02:00

fix: reject ZIP entries with path traversal sequences (Closes #168) (#181)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/duplicate-sync-methods

fix/missing-database-transactions

fix/find-archived-filtering-in-memory

fix/n-plus-one-queries-member-list

v0.5.2

v0.3.2

v0.3.1

v0.3.0

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

Labels

Clear labels

backend

Backend / PHP work

bug

Bug report

database

Database migrations and schema

documentation

Documentation

enhancement

Enhancement or improvement

epic

Epic / feature-group issues

frontend

Frontend / Vue.js work

integration

Nextcloud integrations (Calendar, Contacts, Files)

priority:high

High priority

priority:low

Low priority

priority:medium

Medium priority

security

Security-related work

testing

Tests and test infrastructure

No Label backend priority:medium security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

shahondin1624

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: shahondin1624/Mitgliederverwaltung#168