ZIP Slip 压缩目录穿越攻击全面解析与防御指南<\/h1>

1. ZIP Slip 攻击概述<\/h2>

ZIP Slip（压缩目录穿越攻击）是一种针对处理压缩文件（如ZIP、TAR等格式）应用程序的安全漏洞。攻击者通过精心构造的压缩文件，诱导目标应用程序在解压时将文件提取到预期目录之外的位置，可能导致：<\/p>

覆盖重要系统文件<\/li>
执行恶意代码<\/li>

破坏系统正常运行<\/li> <\/ul>

2. 攻击原理详解<\/h2>

攻击核心在于路径遍历序列<\/strong>的利用：<\/p>

攻击者构造包含特殊路径的压缩文件（如使用"..\/"表示上级目录）<\/li>
应用程序解压时未对路径进行严格验证<\/li>
文件被解压到预期目录之外的位置<\/li> <\/ol>
典型攻击场景<\/strong>：<\/p>

Web应用允许用户上传并解压文件到"\/uploads"目录<\/li>
攻击者上传包含路径为"..\/..\/etc\/passwd"的压缩文件<\/li>
应用解压时覆盖系统"\/etc\/passwd"文件<\/li> <\/ul>
3. 各语言不安全实现分析<\/h2>
3.1 Java 不安全实现<\/h3>
3.1.1 ZipInputStream<\/h4>
public<\/span> static<\/span> void<\/span> unsafe_unzip<\/span>(<\/span>String file_name,<\/span> String output)<\/span> {<\/span> <\/span><\/span> File destDir =<\/span> new<\/span> File(<\/span>output);<\/span> <\/span><\/span> try<\/span> (<\/span>ZipInputStream zip =<\/span> new<\/span> ZipInputStream(<\/span>new<\/span> FileInputStream(<\/span>file_name)))<\/span> {<\/span> <\/span><\/span> ZipEntry entry;<\/span> <\/span><\/span> while<\/span> ((<\/span>entry =<\/span> zip.<\/span>getNextEntry<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> String path =<\/span> output +<\/span> File.<\/span>separator<\/span> +<\/span> entry.<\/span>getName<\/span>();<\/span> <\/span><\/span> try<\/span> (<\/span>FileOutputStream fos =<\/span> new<\/span> FileOutputStream(<\/span>path))<\/span> {<\/span> <\/span><\/span> byte<\/span>[]<\/span> buffer =<\/span> new<\/span> byte<\/span>[<\/span>1024<\/span>];<\/span> <\/span><\/span> int<\/span> len;<\/span> <\/span><\/span> while<\/span> ((<\/span>len =<\/span> zip.<\/span>read<\/span>(<\/span>buffer))<\/span> ><\/span> 0<\/span>)<\/span> {<\/span> <\/span><\/span> fos.<\/span>write<\/span>(<\/span>buffer,<\/span> 0<\/span>,<\/span> len);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> zip.<\/span>closeEntry<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {}<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p> 直接使用entry.getName()<\/code>构建路径<\/li> 未对路径进行清理或验证<\/li> <\/ul> 3.1.2 ZipFile<\/h4> public<\/span> static<\/span> void<\/span> unsafe_unzip5<\/span>(<\/span>String file_name,<\/span> String output)<\/span> {<\/span> <\/span><\/span> try<\/span> (<\/span>ZipFile zipFile =<\/span> new<\/span> ZipFile(<\/span>new<\/span> File(<\/span>file_name)))<\/span> {<\/span> <\/span><\/span> zipFile.<\/span>entries<\/span>().<\/span>asIterator<\/span>().<\/span>forEachRemaining<\/span>(<\/span>entry -><\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Path destPath =<\/span> Paths.<\/span>get<\/span>(<\/span>output,<\/span> entry.<\/span>getName<\/span>());<\/span> <\/span><\/span> File fil =<\/span> new<\/span> File(<\/span>destPath.<\/span>toString<\/span>());<\/span> <\/span><\/span> if<\/span> (<\/span>entry.<\/span>isDirectory<\/span>())<\/span> {<\/span> <\/span><\/span> fil.<\/span>mkdirs<\/span>();<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> fil.<\/span>getParentFile<\/span>().<\/span>mkdirs<\/span>();<\/span> <\/span><\/span> try<\/span> (<\/span>InputStream in =<\/span> zipFile.<\/span>getInputStream<\/span>(<\/span>entry);<\/span> <\/span><\/span> OutputStream out =<\/span> Files.<\/span>newOutputStream<\/span>(<\/span>destPath))<\/span> {<\/span> <\/span><\/span> in.<\/span>transferTo<\/span>(<\/span>out);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>IOException e){}<\/span> <\/span><\/span> });<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p> 直接使用entry.getName()<\/code>构建目标路径<\/li> 未检查文件名中的"..\/"等遍历字符<\/li> <\/ul> 3.1.3 TarArchiveInputStream<\/h4> public<\/span> static<\/span> void<\/span> unsafe_untar<\/span>(<\/span>String file_name,<\/span> String output)<\/span> {<\/span> <\/span><\/span> File destDir =<\/span> new<\/span> File(<\/span>output);<\/span> <\/span><\/span> try<\/span> (<\/span>TarArchiveInputStream tarIn =<\/span> new<\/span> TarArchiveInputStream(<\/span> <\/span><\/span> new<\/span> BufferedInputStream(<\/span>new<\/span> FileInputStream(<\/span>file_name)))){<\/span> <\/span><\/span> ArchiveEntry entry;<\/span> <\/span><\/span> while<\/span> ((<\/span>entry =<\/span> tarIn.<\/span>getNextEntry<\/span>())<\/span> !=<\/span> null<\/span>){<\/span> <\/span><\/span> Path extractTo =<\/span> Paths.<\/span>get<\/span>(<\/span>output).<\/span>resolve<\/span>(<\/span>entry.<\/span>getName<\/span>());<\/span> <\/span><\/span> Files.<\/span>copy<\/span>(<\/span>tarIn,<\/span> extractTo);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>IOException e){<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p> 直接使用entry.getName()<\/code>解析路径<\/li> 未对路径进行规范化处理<\/li> <\/ul> 3.2 Python 不安全实现<\/h3> 3.2.1 ZipFile + shutil.copyfileobj()<\/h4> def<\/span> unzip<\/span>(file_name, output): # bad<\/span> <\/span><\/span> with<\/span> zipfile.<\/span>ZipFile(file_name, 'r'<\/span>) as<\/span> zf: <\/span><\/span> for<\/span> filename in<\/span> zf.<\/span>namelist(): <\/span><\/span> # Output<\/span> <\/span><\/span> output_path =<\/span> os.<\/span>path.<\/span>join(output, filename) <\/span><\/span> with<\/span> zf.<\/span>open(filename) as<\/span> source: <\/span><\/span> with<\/span> open(output_path, 'wb'<\/span>) as<\/span> destination: <\/span><\/span> shutil.<\/span>copyfileobj(source, destination) <\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p> os.path.join<\/code>未规范化路径<\/li> 允许文件名中包含"..\/"引用父目录<\/li> <\/ul> 3.2.2 TarFile.extract()<\/h4> def<\/span> untar<\/span>(file_name, output): # bad<\/span> <\/span><\/span> with<\/span> tarfile.<\/span>open(file_name, 'r'<\/span>) as<\/span> tf: <\/span><\/span> for<\/span> member in<\/span> tf.<\/span>getmembers(): <\/span><\/span> tf.<\/span>extract(member) <\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p> extract()<\/code>方法不会自动移除多余的分隔符和点<\/li> 直接使用压缩包中的路径信息<\/li> <\/ul> 3.3 Golang 不安全实现<\/h3> 3.3.1 archive\/zip<\/h4> func<\/span> unzip<\/span>(src<\/span> string<\/span>, dest<\/span> string<\/span>) error<\/span> { <\/span><\/span> r<\/span>, err<\/span> :=<\/span> zip<\/span>.OpenReader<\/span>(src<\/span>) <\/span><\/span> if<\/span> err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> defer<\/span> r<\/span>.Close<\/span>() <\/span><\/span> <\/span><\/span> for<\/span> _<\/span>, f<\/span> :=<\/span> range<\/span> r<\/span>.File<\/span> { <\/span><\/span> fpath<\/span> :=<\/span> filepath<\/span>.Join<\/span>(dest<\/span>, f<\/span>.Name<\/span>) <\/span><\/span> if<\/span> f<\/span>.FileInfo<\/span>().IsDir<\/span>() { <\/span><\/span> os<\/span>.MkdirAll<\/span>(fpath<\/span>, os<\/span>.ModePerm<\/span>) <\/span><\/span> continue<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> outFile<\/span>, err<\/span> :=<\/span> os<\/span>.Create<\/span>(fpath<\/span>) <\/span><\/span> if<\/span> err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> defer<\/span> outFile<\/span>.Close<\/span>() <\/span><\/span> <\/span><\/span> inFile<\/span>, err<\/span> :=<\/span> f<\/span>.Open<\/span>() <\/span><\/span> if<\/span> err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> defer<\/span> inFile<\/span>.Close<\/span>() <\/span><\/span> <\/span><\/span> _<\/span>, err<\/span> = io<\/span>.Copy<\/span>(outFile<\/span>, inFile<\/span>) <\/span><\/span> if<\/span> err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> return<\/span> nil<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p> 直接使用f.Name<\/code>构建路径<\/li> 缺少路径安全验证<\/li> <\/ul> 3.3.2 archive\/tar<\/h4> func<\/span> untar<\/span>(src<\/span> string<\/span>, dest<\/span> string<\/span>) error<\/span> { <\/span><\/span> file<\/span>, err<\/span> :=<\/span> os<\/span>.Open<\/span>(src<\/span>) <\/span><\/span> if<\/span> err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> defer<\/span> file<\/span>.Close<\/span>() <\/span><\/span> <\/span><\/span> tr<\/span> :=<\/span> tar<\/span>.NewReader<\/span>(file<\/span>) <\/span><\/span> for<\/span> { <\/span><\/span> header<\/span>, err<\/span> :=<\/span> tr<\/span>.Next<\/span>() <\/span><\/span> if<\/span> err<\/span> ==<\/span> io<\/span>.EOF<\/span> { <\/span><\/span> break<\/span> <\/span><\/span> } <\/span><\/span> if<\/span> err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> target<\/span> :=<\/span> filepath<\/span>.Join<\/span>(dest<\/span>, header<\/span>.Name<\/span>) <\/span><\/span> if<\/span> header<\/span>.Typeflag<\/span> ==<\/span> tar<\/span>.TypeDir<\/span> { <\/span><\/span> os<\/span>.MkdirAll<\/span>(target<\/span>, os<\/span>.ModePerm<\/span>) <\/span><\/span> continue<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> outFile<\/span>, err<\/span> :=<\/span> os<\/span>.Create<\/span>(target<\/span>) <\/span><\/span> if<\/span> err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> defer<\/span> outFile<\/span>.Close<\/span>() <\/span><\/span> <\/span><\/span> _<\/span>, err<\/span> = io<\/span>.Copy<\/span>(outFile<\/span>, tr<\/span>) <\/span><\/span> if<\/span> err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> return<\/span> nil<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p> 直接使用header.Name<\/code>构建目标路径<\/li> 缺少路径安全验证<\/li> <\/ul> 3.4 Ruby 不安全实现<\/h3> 3.4.1 zip模块<\/h4> def<\/span> unsafe_unzip<\/span>(file_name, output) # bad<\/span> <\/span><\/span> Zip<\/span>::<\/span>File<\/span>.<\/span>open(file_name) do<\/span> |<\/span>zip_file|<\/span> <\/span><\/span> zip_file.<\/span>each do<\/span> |<\/span>entry|<\/span> <\/span><\/span> file_path =<\/span> File<\/span>.<\/span>join(output, entry.<\/span>name) <\/span><\/span> FileUtils<\/span>.<\/span>mkdir_p(File<\/span>.<\/span>dirname(file_path)) <\/span><\/span> zip_file.<\/span>extract(entry, file_path) <\/span><\/span> end<\/span> <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p> extract()<\/code>方法不会自动处理多余的分隔符和点<\/li> 直接使用entry.name<\/code>构建路径<\/li> <\/ul> 3.4.2 TarReader模块<\/h4> def<\/span> unsafe_untar<\/span>(file_name, output) # bad<\/span> <\/span><\/span> File<\/span>.<\/span>open(file_name, 'rb'<\/span>) do<\/span> |<\/span>file_stream|<\/span> <\/span><\/span> Gem<\/span>::<\/span>Package<\/span>::<\/span>TarReader<\/span>.<\/span>new(file_stream).<\/span>each do<\/span> |<\/span>entry|<\/span> <\/span><\/span> entry_var =<\/span> entry.<\/span>full_name <\/span><\/span> path =<\/span> File<\/span>.<\/span>expand_path(entry_var, output) <\/span><\/span> File<\/span>.<\/span>open(path, 'wb'<\/span>) do<\/span> |<\/span>f|<\/span> <\/span><\/span> f.<\/span>write(entry.<\/span>read) <\/span><\/span> end<\/span> <\/span><\/span> end<\/span> <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p> 直接使用entry.full_name<\/code>构建路径<\/li> 缺少路径规范化处理<\/li> <\/ul> 4. 构造恶意压缩文件的方法<\/h2> 4.1 ZIP类型<\/h3> import<\/span> zipfile <\/span><\/span> <\/span><\/span>def<\/span> compress_file<\/span>(filename): <\/span><\/span> with<\/span> zipfile.<\/span>ZipFile('..\/payloads\/payload.zip'<\/span>, 'w'<\/span>) as<\/span> zipf: <\/span><\/span> zipf.<\/span>writestr(filename, "PoC"<\/span>) <\/span><\/span> <\/span><\/span>filename =<\/span> '..\/poc.txt'<\/span> <\/span><\/span>compress_file(filename) <\/span><\/span><\/code><\/pre>4.2 TAR类型<\/h3> import<\/span> tarfile <\/span><\/span>import<\/span> io <\/span><\/span> <\/span><\/span>def<\/span> compress_file<\/span>(filename): <\/span><\/span> with<\/span> tarfile.<\/span>open('..\/payloads\/payload.tar'<\/span>, 'w'<\/span>) as<\/span> tarf: <\/span><\/span> data =<\/span> io.<\/span>BytesIO(b<\/span>"Test payload"<\/span>) <\/span><\/span> tarinfo =<\/span> tarfile.<\/span>TarInfo(name=<\/span>filename) <\/span><\/span> tarinfo.<\/span>size =<\/span> len(data.<\/span>getvalue()) <\/span><\/span> tarf.<\/span>addfile(tarinfo, data) <\/span><\/span> <\/span><\/span>filename =<\/span> '..\/poc.txt'<\/span> <\/span><\/span>compress_file(filename) <\/span><\/span><\/code><\/pre>4.3 TAR.GZ类型<\/h3> import<\/span> tarfile <\/span><\/span>import<\/span> io <\/span><\/span> <\/span><\/span>def<\/span> create_tar_gz_archive<\/span>(output_tar_gz_file, file_name, content): <\/span><\/span> with<\/span> tarfile.<\/span>open(output_tar_gz_file, 'w:gz'<\/span>) as<\/span> tar: <\/span><\/span> file_like_object =<\/span> io.<\/span>BytesIO(content.<\/span>encode('utf-8'<\/span>)) <\/span><\/span> tarinfo =<\/span> tarfile.<\/span>TarInfo(name=<\/span>file_name) <\/span><\/span> tarinfo.<\/span>size =<\/span> len(content) <\/span><\/span> tar.<\/span>addfile(tarinfo, file_like_object) <\/span><\/span> <\/span><\/span>create_tar_gz_archive('..\/payloads\/payload.tar.gz'<\/span>, '..\/poc.txt'<\/span>, 'PoC'<\/span>) <\/span><\/span><\/code><\/pre>5. 安全防御措施<\/h2> 5.1 通用防御原则<\/h3> 路径规范化<\/strong>：使用规范化函数处理所有路径<\/li> 路径验证<\/strong>：检查解压路径是否在目标目录内<\/li> 白名单验证<\/strong>：只允许特定文件类型或名称模式<\/li> 权限最小化<\/strong>：使用最低必要权限运行解压操作<\/li> <\/ol> 5.2 各语言安全实现示例<\/h3> 5.2.1 Java安全实现<\/h4> public<\/span> static<\/span> void<\/span> safe_unzip<\/span>(<\/span>String file_name,<\/span> String output)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> Path destDir =<\/span> Paths.<\/span>get<\/span>(<\/span>output).<\/span>normalize<\/span>().<\/span>toAbsolutePath<\/span>();<\/span> <\/span><\/span> <\/span><\/span> try<\/span> (<\/span>ZipInputStream zip =<\/span> new<\/span> ZipInputStream(<\/span>new<\/span> FileInputStream(<\/span>file_name)))<\/span> {<\/span> <\/span><\/span> ZipEntry entry;<\/span> <\/span><\/span> while<\/span> ((<\/span>entry =<\/span> zip.<\/span>getNextEntry<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> Path destPath =<\/span> destDir.<\/span>resolve<\/span>(<\/span>entry.<\/span>getName<\/span>()).<\/span>normalize<\/span>();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 验证路径是否在目标目录内 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>destPath.<\/span>startsWith<\/span>(<\/span>destDir))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> IOException(<\/span>"Invalid entry: "<\/span> +<\/span> entry.<\/span>getName<\/span>());<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> if<\/span> (<\/span>entry.<\/span>isDirectory<\/span>())<\/span> {<\/span> <\/span><\/span> Files.<\/span>createDirectories<\/span>(<\/span>destPath);<\/span> <\/span><\/span> }<\/span> else<\/span> {<\/span> <\/span><\/span> Files.<\/span>createDirectories<\/span>(<\/span>destPath.<\/span>getParent<\/span>());<\/span> <\/span><\/span> try<\/span> (<\/span>OutputStream fos =<\/span> Files.<\/span>newOutputStream<\/span>(<\/span>destPath))<\/span> {<\/span> <\/span><\/span> byte<\/span>[]<\/span> buffer =<\/span> new<\/span> byte<\/span>[<\/span>1024<\/span>];<\/span> <\/span><\/span> int<\/span> len;<\/span> <\/span><\/span> while<\/span> ((<\/span>len =<\/span> zip.<\/span>read<\/span>(<\/span>buffer))<\/span> ><\/span> 0<\/span>)<\/span> {<\/span> <\/span><\/span> fos.<\/span>write<\/span>(<\/span>buffer,<\/span> 0<\/span>,<\/span> len);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> zip.<\/span>closeEntry<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5.2.2 Python安全实现<\/h4> def<\/span> safe_unzip<\/span>(file_name, output): <\/span><\/span> output =<\/span> os.<\/span>path.<\/span>abspath(output) <\/span><\/span> with<\/span> zipfile.<\/span>ZipFile(file_name, 'r'<\/span>) as<\/span> zf: <\/span><\/span> for<\/span> filename in<\/span> zf.<\/span>namelist(): <\/span><\/span> # 规范化路径并确保在目标目录内<\/span> <\/span><\/span> file_path =<\/span> os.<\/span>path.<\/span>normpath(os.<\/span>path.<\/span>join(output, filename)) <\/span><\/span> if<\/span> not<\/span> file_path.<\/span>startswith(output): <\/span><\/span> raise<\/span> ValueError<\/span>(f<\/span>"Path traversal attempt: <\/span>{<\/span>filename}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span> if<\/span> filename.<\/span>endswith('\/'<\/span>): <\/span><\/span> os.<\/span>makedirs(file_path, exist_ok=<\/span>True<\/span>) <\/span><\/span> else<\/span>: <\/span><\/span> os.<\/span>makedirs(os.<\/span>path.<\/span>dirname(file_path), exist_ok=<\/span>True<\/span>) <\/span><\/span> with<\/span> zf.<\/span>open(filename) as<\/span> source, open(file_path, 'wb'<\/span>) as<\/span> destination: <\/span><\/span> shutil.<\/span>copyfileobj(source, destination) <\/span><\/span><\/code><\/pre>5.2.3 Golang安全实现<\/h4> func<\/span> safe_unzip<\/span>(src<\/span> string<\/span>, dest<\/span> string<\/span>) error<\/span> { <\/span><\/span> dest<\/span> = filepath<\/span>.Clean<\/span>(dest<\/span>) <\/span><\/span> if<\/span> !filepath<\/span>.IsAbs<\/span>(dest<\/span>) { <\/span><\/span> return<\/span> fmt<\/span>.Errorf<\/span>("destination path must be absolute"<\/span>) <\/span><\/span> } <\/span><\/span> <\/span><\/span> r<\/span>, err<\/span> :=<\/span> zip<\/span>.OpenReader<\/span>(src<\/span>) <\/span><\/span> if<\/span> err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> defer<\/span> r<\/span>.Close<\/span>() <\/span><\/span> <\/span><\/span> for<\/span> _<\/span>, f<\/span> :=<\/span> range<\/span> r<\/span>.File<\/span> { <\/span><\/span> \/\/ 清理路径并验证 <\/span><\/span><\/span><\/span> fpath<\/span> :=<\/span> filepath<\/span>.Join<\/span>(dest<\/span>, f<\/span>.Name<\/span>) <\/span><\/span> fpath<\/span> = filepath<\/span>.Clean<\/span>(fpath<\/span>) <\/span><\/span> <\/span><\/span> \/\/ 检查路径是否在目标目录内 <\/span><\/span><\/span><\/span> if<\/span> !strings<\/span>.HasPrefix<\/span>(fpath<\/span>, dest<\/span>) { <\/span><\/span> return<\/span> fmt<\/span>.Errorf<\/span>("illegal file path: %s"<\/span>, f<\/span>.Name<\/span>) <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> f<\/span>.FileInfo<\/span>().IsDir<\/span>() { <\/span><\/span> os<\/span>.MkdirAll<\/span>(fpath<\/span>, os<\/span>.ModePerm<\/span>) <\/span><\/span> continue<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> err<\/span> :=<\/span> os<\/span>.MkdirAll<\/span>(filepath<\/span>.Dir<\/span>(fpath<\/span>), os<\/span>.ModePerm<\/span>); err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> outFile<\/span>, err<\/span> :=<\/span> os<\/span>.OpenFile<\/span>(fpath<\/span>, os<\/span>.O_WRONLY<\/span>|os<\/span>.O_CREATE<\/span>|os<\/span>.O_TRUNC<\/span>, f<\/span>.Mode<\/span>()) <\/span><\/span> if<\/span> err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> rc<\/span>, err<\/span> :=<\/span> f<\/span>.Open<\/span>() <\/span><\/span> if<\/span> err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> outFile<\/span>.Close<\/span>() <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> <\/span><\/span> _<\/span>, err<\/span> = io<\/span>.Copy<\/span>(outFile<\/span>, rc<\/span>) <\/span><\/span> outFile<\/span>.Close<\/span>() <\/span><\/span> rc<\/span>.Close<\/span>() <\/span><\/span> if<\/span> err<\/span> !=<\/span> nil<\/span> { <\/span><\/span> return<\/span> err<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> return<\/span> nil<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>5.2.4 Ruby安全实现<\/h4> def<\/span> safe_unzip<\/span>(file_name, output) <\/span><\/span> output =<\/span> File<\/span>.<\/span>expand_path(output) <\/span><\/span> <\/span><\/span> Zip<\/span>::<\/span>File<\/span>.<\/span>open(file_name) do<\/span> |<\/span>zip_file|<\/span> <\/span><\/span> zip_file.<\/span>each do<\/span> |<\/span>entry|<\/span> <\/span><\/span> # 清理路径并验证<\/span> <\/span><\/span> file_path =<\/span> File<\/span>.<\/span>join(output, entry.<\/span>name) <\/span><\/span> file_path =<\/span> File<\/span>.<\/span>expand_path(file_path) <\/span><\/span> <\/span><\/span> unless<\/span> file_path.<\/span>start_with?(output +<\/span> '\/'<\/span>) <\/span><\/span> raise<\/span> "Path traversal attempt: <\/span>#{<\/span>entry.<\/span>name}<\/span>"<\/span> <\/span><\/span> end<\/span> <\/span><\/span> <\/span><\/span> FileUtils<\/span>.<\/span>mkdir_p(File<\/span>.<\/span>dirname(file_path)) <\/span><\/span> zip_file.<\/span>extract(entry, file_path) unless<\/span> File<\/span>.<\/span>exist?(file_path) <\/span><\/span> end<\/span> <\/span><\/span> end<\/span> <\/span><\/span>end<\/span> <\/span><\/span><\/code><\/pre>6. 最佳实践总结<\/h2> 始终验证解压路径<\/strong>：确保解压路径在目标目录内<\/li> 使用绝对路径<\/strong>：避免相对路径带来的不确定性<\/li> 规范化所有路径<\/strong>：使用语言提供的规范化函数<\/li> 限制文件权限<\/strong>：使用最低必要权限运行解压操作<\/li> 考虑使用安全库<\/strong>：如Python的zipfile<\/code>模块的安全方法<\/li> 输入验证<\/strong>：对上传的压缩文件进行严格验证<\/li> 日志记录<\/strong>：记录解压操作以便审计<\/li> 沙箱环境<\/strong>：在高风险场景下考虑在沙箱中执行解压<\/li> <\/ol> 7. 测试与验证<\/h2> 实施防御措施后，应进行以下测试：<\/p> 路径遍历测试<\/strong>：尝试上传包含"..\/"的压缩文件<\/li> 符号链接测试<\/strong>：测试对符号链接的处理<\/li> 绝对路径测试<\/strong>：测试包含绝对路径的压缩文件<\/li> 嵌套路径测试<\/strong>：测试深度嵌套的路径<\/li> 性能测试<\/strong>：确保安全措施不影响正常功能<\/li> <\/ol> 通过全面理解和实施这些安全措施，可以有效防御ZIP Slip攻击，保护应用程序免受目录穿越漏洞的威胁。<\/p>