Is the new ZIP library completely secure?

[Ricardo Fernández Serrata]

The ZIP specification allows 3 main vulnerabilities to happen: absolute paths, relative paths, and symbolic links (symlnks). All based on filesystem traversal.

I watched this video till the end: https://youtu.be/Ry_yb5Oipq0

And I realized that a lot of users (including me) extract ZIPs directly, without using ZIP List to check the inner files for validation. So I'm concerned if AM is possibly vulnerable to any of these 3.

I think I could test it by hex editing a ZIP file, or downloading an already existing "test vector", but IDK how to do the former, and the latter is risky

[Henrik "The Developer" Lindqvist]

None of those vulnerabilities should be an issue.

All filenames in the zip file are normalized and resolved to absolute paths, absolute within the zip, so they shouldn't be able to be extracted beyond, e.g. to a parent of, the destination directory.

Symlinks aren't supported at all, so they should be extracted as empty files.

Anyhow, those vulnerabilities are less of an issue on Android since regular apps don't have write access to any sensitive system directories anyway, i.e internal storage.

Any "test vector" zip you find, please send them to me so i can include them in my unit tests.

[Ricardo Fernández Serrata]

Ok, thank you for the info and your time. I'll try to find test files

[Ricardo Fernández Serrata]

I think these may be helpful: https://github.com/snyk/zip-slip-vulnerability/tree/master/archives 

[Henrik "The Developer" Lindqvist]

Thanks, i'll add them to my unit tests.