Quarkus OpenAPI Generator Path Traversal Vulnerability in ZIP Extraction

A path traversal vulnerability has been identified in the Quarkus OpenAPI Generator extension, specifically in versions prior to 2.16.0 and 2.15.0-lts. The issue arises in the 'unzip()' method of the 'ApicurioCodegenWrapper' class, where ZIP entries are extracted without proper validation of the file paths. This oversight allows a malicious ZIP file containing path traversal sequences to write files outside the intended output directory. The vulnerability could be exploited by intercepting or controlling the ZIP archive served by the Apicurio registry, particularly in environments with untrusted network connections or improperly configured TLS.

Impact

Exploitation of this vulnerability could lead to arbitrary file writing on the build machine, potentially overwriting source files, injecting malicious code into the build output, or modifying configuration files. In CI/CD environments, such actions could compromise the supply chain.

Reproduction

To reproduce this vulnerability, create a ZIP file with an entry that includes path traversal sequences, such as '../../proof.txt', and upload it to an Apicurio registry endpoint. Then, configure the Quarkus OpenAPI Generator to use the server code generation path and trigger the code generation process. The extracted file will appear two directories above the intended output location.

Remediation

Users can upgrade to Quarkus OpenAPI Generator versions 2.16.0 or 2.15.0-lts to address this vulnerability.