nuclei-templates/file/nodejs/zip-path-overwrite.yaml

id: zip-path-overwrite

info:
  name: Zip Path Overwrite
  author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
  severity: info
  description: Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
  tags: file,nodejs

file:
  - extensions:
      - all

    matchers:
      - type: regex
        regex:
          - "\\$X = require\\('unzip'\\)"
          - "\\$X = require\\('unzipper'\\)"
          - "\\$Y\\.pipe\\(\\$UNZIP\\.Parse\\(...\\)\\)\\.on\\('entry', function $FUNC\\(...\\) {"
          - "\\$X = \\$FILENAME\\.indexOf\\(...\\)"
          - "\\$FUNC\\.pipe\\(\\$FS\\.createWriteStream\\(\\$FIL, ...\\)\\)"
          - "\\$FUNC\\.pipe\\(\\$FS\\.writeFile\\(\\$FIL, ...\\)\\)"
          - "\\$FUNC\\.pipe\\(\\$FS\\.writeFileSync\\(\\$FIL, ...\\)\\)"
          - "\\$UNZIP\\.Parse\\(...\\)\\.on\\('entry', function \\$FUNC\\(\\$ENTRY\\) {"
          - "\\$FS\\.createWriteStream\\(\\$FIL, ...\\)"
          - "\\$FS\\.writeFile\\(\\$FIL, ...\\)"
          - "\\$FS\\.writeFileSync\\(\\$FIL, ...\\)"
        condition: or