Hi @sandeeep-prajapati
Good Day
This Side @rajeev
I have a find a Security Issue here is below full Case look and lets fix
While reviewing the bundle extraction functionality, I identified a potential ZIP Slip / path traversal risk in the archive extraction workflow.
The application currently extracts uploaded ZIP archives using ZipArchive::extractTo() and also performs manual file write operations without visible path traversal sanitization or canonical path validation.
Affected Component
app/Packages/BundleInstaller/src/Services/BundleExtractorService.php
Observed Code Paths
$zip->extractTo($packagePath);
and:
$targetPath = $packagePath . '/' . $relativePath;
file_put_contents($targetPath, $zip->getFromIndex($i));
Potential Risk
A malicious ZIP archive containing traversal sequences such as ../ could potentially lead to unintended file write operations outside the intended extraction directory.
Possible impacts may include:
unauthorized file overwrite
application tampering
malicious file placement
potential remote code execution chains depending on deployment configuration
Recommendation
Consider implementing:
ZIP entry path validation before extraction
rejection of traversal sequences (../)
canonical path validation using realpath
symlink extraction restrictions
allowlisted extraction directories
I have intentionally not included a public proof-of-concept payload to avoid unnecessary exposure.
Thanks for reviewing the report Mr @sandeeep-prajapati
Please let me know if you would like additional technical details privately, and I would also recommend adding a SECURITY.md policy to streamline future security reporting and coordinated disclosure.
Hi @sandeeep-prajapati
Good Day
This Side @rajeev
I have a find a Security Issue here is below full Case look and lets fix
While reviewing the bundle extraction functionality, I identified a potential ZIP Slip / path traversal risk in the archive extraction workflow.
The application currently extracts uploaded ZIP archives using ZipArchive::extractTo() and also performs manual file write operations without visible path traversal sanitization or canonical path validation.
Affected Component
app/Packages/BundleInstaller/src/Services/BundleExtractorService.php
Observed Code Paths
$zip->extractTo($packagePath);
and:
$targetPath = $packagePath . '/' . $relativePath;
file_put_contents($targetPath, $zip->getFromIndex($i));
Potential Risk
A malicious ZIP archive containing traversal sequences such as ../ could potentially lead to unintended file write operations outside the intended extraction directory.
Possible impacts may include:
unauthorized file overwrite
application tampering
malicious file placement
potential remote code execution chains depending on deployment configuration
Recommendation
Consider implementing:
ZIP entry path validation before extraction
rejection of traversal sequences (../)
canonical path validation using realpath
symlink extraction restrictions
allowlisted extraction directories
I have intentionally not included a public proof-of-concept payload to avoid unnecessary exposure.
Thanks for reviewing the report Mr @sandeeep-prajapati
Please let me know if you would like additional technical details privately, and I would also recommend adding a SECURITY.md policy to streamline future security reporting and coordinated disclosure.