Coder Code Extension Marketplace Zip Slip Vulnerability Allowing Arbitrary File Write

A Zip Slip vulnerability has been identified in Coder Code Extension Marketplace versions through 2.4.1. This vulnerability allows a malicious VSIX file to write arbitrary files outside the extension directory. The issue arises because the 'ExtractZip' function passed raw zip entry names to a callback that wrote files using 'filepath.Join' without proper boundary checks. While 'filepath.Join' resolved '..' components, it did not prevent the resulting path from escaping the base directory. As a result, an authenticated user with upload capabilities could exploit this vulnerability by submitting a VSIX file containing path-traversal entries. When the file is extracted, the payload could be written to locations chosen by the attacker, potentially leading to unauthorized persistence or modification of system files, depending on the privileges of the marketplace process.

Impact

Exploitation of this vulnerability could allow for arbitrary file writes outside the intended directory, with the potential for injecting malicious files into sensitive system locations, such as cron jobs or SSH keys, or overwriting binaries.

Remediation

Users can upgrade to Coder Code Extension Marketplace version 2.4.2 to address this vulnerability.