fix unarchive vulnerability

- avoid malicious record name being able to write to system files
- address imports for unit tests

Author: NSProgrammer

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ## History
 
+### 1.11.2 (September 4, 2018) - Nolan O'Brien
+- Fix vulnerability when zip archive provides malicious output file name
+
 ### 1.11.1 (August 14, 2018) - Nolan O'Brien
 
 - Update Brotli (v1.0.5) and ZStandard (v1.3.5)

ZipUtilities.podspec

@@ -1,6 +1,6 @@
 Pod::Spec.new do |s|
   s.name         = "ZipUtilities"
-  s.version      = "1.11.1"
+  s.version      = "1.11.2"
   s.summary      = "Zip Archiving, Unarchiving and Utilities in Objective-C"
   s.description  = <<-DESC
 					ZipUtilities, prefixed with NOZ for Nolan O'Brien ZipUtilities, is a library of zipping and unzipping utilities for iOS and Mac OS X.

ZipUtilities/NOZDecompress.m

@@ -301,20 +301,20 @@ - (NSError *)private_unzipAllEntries
 
         NSError *innerError = nil;
         [self->_unzipper saveRecord:record
-                  toDirectory:self->_sanitizedDestinationDirectoryPath
-                      options:(overwrite) ? NOZUnzipperSaveRecordOptionOverwriteExisting : NOZUnzipperSaveRecordOptionsNone
-                progressBlock:^(int64_t totalBytes,
-                                int64_t bytesComplete,
-                                int64_t byteWrittenThisPass,
-                                BOOL *abort) {
-                    if (self.isCancelled) {
-                        stackError = kCancelledError;
-                        *abort = YES;
-                    } else {
-                        [self private_didDecompressBytes:byteWrittenThisPass];
-                    }
-                }
-                        error:&innerError];
+                        toDirectory:self->_sanitizedDestinationDirectoryPath
+                            options:(overwrite) ? NOZUnzipperSaveRecordOptionOverwriteExisting : NOZUnzipperSaveRecordOptionsNone
+                      progressBlock:^(int64_t totalBytes,
+                                      int64_t bytesComplete,
+                                      int64_t byteWrittenThisPass,
+                                      BOOL *abort) {
+                          if (self.isCancelled) {
+                              stackError = kCancelledError;
+                              *abort = YES;
+                          } else {
+                              [self private_didDecompressBytes:byteWrittenThisPass];
+                          }
+                      }
+                              error:&innerError];
 
         if (!stackError) {
             if (innerError) {

ZipUtilities/NOZUnzipper.m

@@ -347,8 +347,9 @@ - (BOOL)saveRecord:(NOZCentralDirectoryRecord *)record
         }
     });
 
-    BOOL overwrite = (options & NOZUnzipperSaveRecordOptionOverwriteExisting) != 0;
-    BOOL followIntermediatePaths = !(options & NOZUnzipperSaveRecordOptionIgnoreIntermediatePath);
+    destinationRootDirectory = [destinationRootDirectory stringByStandardizingPath];
+    const BOOL overwrite = (options & NOZUnzipperSaveRecordOptionOverwriteExisting) != 0;
+    const BOOL followIntermediatePaths = !(options & NOZUnzipperSaveRecordOptionIgnoreIntermediatePath);
 
     NSFileManager *fm = [NSFileManager defaultManager];
     NSString *destinationFile = nil;
@@ -358,7 +359,13 @@ - (BOOL)saveRecord:(NOZCentralDirectoryRecord *)record
         destinationFile = [[destinationRootDirectory stringByAppendingPathComponent:record.nameNoCopy.lastPathComponent] stringByStandardizingPath];
     }
 
+    if (![destinationFile hasPrefix:destinationRootDirectory]) {
+        stackError = [NSError errorWithDomain:NSPOSIXErrorDomain code:EBADF userInfo:nil];
+        return NO;
+    }
+
     if (![fm createDirectoryAtPath:[destinationFile stringByDeletingLastPathComponent] withIntermediateDirectories:YES attributes:nil error:error]) {
+        stackError = [NSError errorWithDomain:NSPOSIXErrorDomain code:EACCES userInfo:nil];
         return NO;
     }
 

ZipUtilitiesTests/NOZCoderTests.m

@@ -10,8 +10,9 @@
 #import "NOZXBrotliCompressionCoder.h"
 #import "NOZXZStandardCompressionCoder.h"
 
+#import "ZipUtilities.h"
+
 @import XCTest;
-@import ZipUtilities;
 
 #define NOZCompressionMethodZStandard       (100)
 #define NOZCompressionMethodZStandard_D128  (101)

ZipUtilitiesTests/NOZCompressTests.m

@@ -25,9 +25,10 @@
 //  SOFTWARE.
 //
 
+#import "ZipUtilities.h"
+
 @import Foundation;
 @import XCTest;
-@import ZipUtilities;
 
 //#define TESTLOG(...) NSLog(__VA_ARGS__)
 #define TESTLOG(...) ((void)0)

ZipUtilitiesTests/NOZDecompressTests.m

@@ -25,9 +25,10 @@
 //  SOFTWARE.
 //
 
+#import "ZipUtilities.h"
+
 @import Foundation;
 @import XCTest;
-@import ZipUtilities;
 
 //#define TESTLOG(...) NSLog(__VA_ARGS__)
 #define TESTLOG(...) ((void)0)