Appium Zip Slip Vulnerability in @appium/support Prior to 7.0.6 Allowing Arbitrary File Write

A path traversal vulnerability, known as Zip Slip, has been identified in the @appium/support package of Appium, affecting versions through 7.0.5. The issue arises in the ZIP extraction method 'extractAllTo()', which uses the 'ZipExtractor.extract()' function. The vulnerability exists because the path traversal check intended to prevent malicious ZIP entries from writing files outside the designated directory is ineffective. Although the check creates an Error object, it fails to throw the error, allowing exploitation. This issue impacts all JavaScript-based extractions by default, not just those with the 'fileNamesEncoding' option enabled.

Impact

Exploitation of this vulnerability allows for arbitrary file writes to any location writable by the Appium process, including the creation of symlinks pointing to arbitrary targets. Such symlinks could facilitate further attacks by manipulating subsequent file operations. Additionally, overwriting certain files could potentially lead to remote code execution.

Reproduction

The vulnerability can be reproduced by creating a malicious ZIP file containing a traversal entry that exploits the ineffective path check. After crafting the ZIP file, it can be extracted using the vulnerable 'ZipExtractor' method, which will result in the traversal entry writing a file outside the intended directory.

Remediation

Users can upgrade to @appium/support version 7.0.6 or later, where this vulnerability has been fixed.