bc1bb/4lbion
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions

Zip Slip path traversal in game updater via ZipFile.extractall() without entry path validation #4

New issue
Open
opened 2026-05-14 21:10:30 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:10:30 +02:00
Copy link

Problem

The updater downloads zip archives from the game server and extracts them with zipfile.ZipFile.extractall() without validating whether any archive entry contains path traversal sequences (e.g., ../../). A crafted zip file can write files to arbitrary locations on the filesystem.

Location

4lbion.py, lines 737–749 (with zipfile.ZipFile("temp.zip", "r") as tempZip: tempZip.extractall())

Risk

This is the classic "Zip Slip" attack. If a man-in-the-middle can intercept the update traffic (the app uses plain HTTP/HTTPS without pinning), or if the update server is compromised, a malicious zip with entries like ../../.bashrc or ../../.ssh/authorized_keys would silently overwrite arbitrary user files. Because the game files are large executables, this path is exercised on every fresh install or update.

Suggested fix direction

Before calling extractall(), iterate over tempZip.namelist() and reject (or skip) any entry whose resolved path escapes the target directory:

import os
target = os.path.realpath(os.getcwd())
for member in tempZip.namelist():
    member_path = os.path.realpath(os.path.join(target, member))
    if not member_path.startswith(target + os.sep):
        raise Exception(f"Zip Slip detected: {member}")
tempZip.extractall()

Severity

critical

Found by

Automated audit by Claude Code

## Problem The updater downloads zip archives from the game server and extracts them with `zipfile.ZipFile.extractall()` without validating whether any archive entry contains path traversal sequences (e.g., `../../`). A crafted zip file can write files to arbitrary locations on the filesystem. ## Location `4lbion.py`, lines 737–749 (`with zipfile.ZipFile("temp.zip", "r") as tempZip: tempZip.extractall()`) ## Risk This is the classic "Zip Slip" attack. If a man-in-the-middle can intercept the update traffic (the app uses plain HTTP/HTTPS without pinning), or if the update server is compromised, a malicious zip with entries like `../../.bashrc` or `../../.ssh/authorized_keys` would silently overwrite arbitrary user files. Because the game files are large executables, this path is exercised on every fresh install or update. ## Suggested fix direction Before calling `extractall()`, iterate over `tempZip.namelist()` and reject (or skip) any entry whose resolved path escapes the target directory: ```python import os target = os.path.realpath(os.getcwd()) for member in tempZip.namelist(): member_path = os.path.realpath(os.path.join(target, member)) if not member_path.startswith(target + os.sep): raise Exception(f"Zip Slip detected: {member}") tempZip.extractall() ``` ## Severity critical ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/4lbion#4
No description provided.