29 lines
1.1 KiB
YAML
29 lines
1.1 KiB
YAML
id: zip-path-overwrite
|
|
|
|
info:
|
|
name: Zip Path Overwrite
|
|
author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
|
|
severity: info
|
|
description: Insecure ZIP archive extraction can result in arbitrary path overwrite and can result in code injection.
|
|
tags: file,nodejs
|
|
|
|
file:
|
|
- extensions:
|
|
- all
|
|
|
|
matchers:
|
|
- type: regex
|
|
regex:
|
|
- "require\\('unzip'\\)"
|
|
- "require\\('unzipper'\\)"
|
|
- "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.Parse\\([\\w\\W]*?\\)\\)\\.on\\('entry', function [\\w\\W]*?\\([\\w\\W]*?\\) \\{"
|
|
- "[\\w\\W]+? = [\\w\\W]+?\\.indexOf\\([\\w\\W]*?\\)"
|
|
- "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.createWriteStream\\([\\w\\W]*?\\)\\)"
|
|
- "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.writeFile\\([\\w\\W]*?\\)\\)"
|
|
- "[\\w\\W]+?\\.pipe\\([\\w\\W]+?\\.writeFileSync\\([\\w\\W]*?\\)\\)"
|
|
- "[\\w\\W]+?\\.Parse\\([\\w\\W]*?\\)\\.on\\('entry', function [\\w\\W]*?\\([\\w\\W]*?\\) \\{"
|
|
- "[\\w\\W]+?\\.createWriteStream\\([\\w\\W]*?\\)"
|
|
- "[\\w\\W]+?\\.writeFile\\([\\w\\W]*?\\)"
|
|
- "[\\w\\W]+?\\.writeFileSync\\([\\w\\W]*?\\)"
|
|
condition: or
|