Archive Extraction (Zip Slip)

Hard+200 XPA05:2021 Security MisconfigurationCWE-22

Path TraversalZip SlipArchiveFile Write

Scenario

An application extracts ZIP archives uploaded by users. For each entry in the archive, it builds the destination path by joining the extract directory with the entry's path.

ZIP archives can contain entries with paths like ../../evil.sh. When extracted naively, this writes files outside the intended directory.

This is the Zip Slip vulnerability — it allows an attacker to overwrite arbitrary files on the server, including cron jobs, startup scripts, or application code.

Zip Slip has affected dozens of popular libraries and frameworks across Java, Go, Python, and Ruby. Extracting archives without path validation can lead to arbitrary file write and remote code execution.

Your Tasks

Fix validateZipEntry so it rejects entry paths that escape the extract directory.
Throw an error with the message 'Zip slip detected' when the resolved entry path does not start with extractDir.
Return the safe extraction path on success.

Examples

Example 1 — Blocked — traversal entry path

validateZipEntry('/tmp/extract', '../../evil.sh')
// → throws Error('Zip slip detected')

Example 2 — Blocked — absolute path entry

validateZipEntry('/tmp/extract', '/etc/cron.d/evil')
// → throws Error('Zip slip detected')

Example 3 — Allowed — normal archive entry

validateZipEntry('/tmp/extract', 'docs/readme.txt')
// → returns '/tmp/extract/docs/readme.txt'

Constraints

›Only edit the function body — do not change the function signature.
›Handle both relative traversal paths (../../evil.sh) and absolute paths (/etc/cron.d/evil).
›No filesystem access required — resolve paths as strings.

Hint

References

CVE-2018-1002201 — Zip Slip in Zip4j Snyk Zip Slip Vulnerability Research CWE-22: Improper Limitation of a Pathname to a Restricted Directory OWASP Path Traversal

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run