Reported Zip Slip fix#1313
Closed
adamhathcock wants to merge 7 commits into
Closed
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors extraction path handling by moving shared extraction logic onto IEntry extensions and centralizing destination-path validation in a new DirectoryManagement helper. It fits into SharpCompress’s extraction pipeline by changing the common code paths used by archive, reader, and entry extraction APIs while also adding security-focused tests.
Changes:
- Moved extraction helpers from the old internal
ExtractionMethodsclasses into newIEntryextension methods. - Added
DirectoryManagementandUtility.PathComparisonto normalize destination paths and enforce traversal checks. - Added new security tests covering Zip Slip/path traversal scenarios across sync and async archive/reader APIs.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/SharpCompress.Test/Security/ZipSlip.cs | Adds a focused Zip Slip regression test for archive extraction APIs. |
| tests/SharpCompress.Test/Security/ExtractionPathTraversalTests.cs | Adds broader sync/async traversal coverage across archive and reader entrypoints. |
| src/SharpCompress/Utility.cs | Moves path-comparison behavior into a shared utility. |
| src/SharpCompress/Readers/IReaderExtensions.cs | Repoints sync reader extraction to the new IEntry helpers. |
| src/SharpCompress/Readers/IAsyncReaderExtensions.cs | Repoints async reader extraction to the new IEntry helpers. |
| src/SharpCompress/Common/IEntryExtensions.cs | Introduces shared sync extraction logic on IEntry. |
| src/SharpCompress/Common/IEntryExtensions.Async.cs | Introduces shared async extraction logic on IEntry. |
| src/SharpCompress/Common/ExtractionMethods.cs | Removes the old sync extraction helper implementation. |
| src/SharpCompress/Common/ExtractionMethods.Async.cs | Removes the old async extraction helper implementation. |
| src/SharpCompress/Common/DirectoryManagement.cs | Adds centralized destination-directory normalization and containment checks. |
| src/SharpCompress/Archives/IAsyncArchiveExtensions.cs | Updates async archive extraction to use the new shared core methods. |
| src/SharpCompress/Archives/IArchiveExtensions.cs | Updates sync archive extraction to use the new shared core methods. |
| src/SharpCompress/Archives/IArchiveEntryExtensions.cs | Repoints archive-entry extraction APIs to the new IEntry helpers. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Owner
Author
|
This was somehow merged |
This was referenced May 6, 2026
This was referenced May 11, 2026
This was referenced May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request refactors and modernizes the extraction logic in the SharpCompress library, focusing on moving extraction methods from static utility classes to extension methods on the
IEntrytype. It also introduces a newDirectoryManagementutility for robust path handling and security, and removes the old staticExtractionMethodsclasses. The main goals are to improve code organization, enhance security checks, and streamline extraction workflows.Key changes include:
Refactoring and API Modernization
Migrated extraction methods such as
WriteEntryToDirectory,WriteEntryToFile, and their async counterparts from the staticExtractionMethodsclasses to extension methods onIEntry, providing a more object-oriented and discoverable API. (src/SharpCompress/Archives/IArchiveEntryExtensions.cs,src/SharpCompress/Common/IEntryExtensions.Async.cs, [1] [2] [3] [4] [5]Updated all usages in
IArchiveExtensionsandIAsyncArchiveExtensionsto use the new extension methods, removing reliance on the old static methods. (src/SharpCompress/Archives/IArchiveEntryExtensions.cs,src/SharpCompress/Archives/IArchiveExtensions.cs,src/SharpCompress/Archives/IAsyncArchiveExtensions.cs, [1] [2] [3] [4] [5] [6]Security and Path Handling
Introduced a new
DirectoryManagementutility class that centralizes logic for verifying and normalizing destination paths, ensuring extraction cannot escape the intended directory (prevents directory traversal attacks). (src/SharpCompress/Common/DirectoryManagement.cs, src/SharpCompress/Common/DirectoryManagement.csR1-R77)All extraction methods now use
DirectoryManagementto validate paths and handle directory creation securely. (src/SharpCompress/Common/IEntryExtensions.Async.cs, src/SharpCompress/Common/IEntryExtensions.Async.csR1-R114)Code Cleanup and Removal
ExtractionMethodsandExtractionMethods.Asyncclasses, consolidating extraction logic into the new extension methods and utility class. (src/SharpCompress/Common/ExtractionMethods.cs,src/SharpCompress/Common/ExtractionMethods.Async.cs, [1] [2]Minor Improvements
usingdirectives and improved XML documentation in extension classes. (src/SharpCompress/Archives/IArchiveExtensions.cs,src/SharpCompress/Archives/IAsyncArchiveExtensions.cs, [1] Fa3e9948L1, [2]These changes make the extraction API more idiomatic, secure, and maintainable.