HIGH zip slipbearer tokens

Zip Slip with Bearer Tokens

Scan your API now

How Zip Slip Manifests in Bearer Tokens

Zip Slip occurs when an application extracts files from an archive without validating that the extracted paths stay inside a safe directory. When the archive is obtained via an API call that uses a Bearer Token for authentication, the vulnerable code path often looks like this:

const express = require('express');
const axios = require('axios');
const AdmZip = require('adm-zip');
const app = express();

// Middleware that expects a Bearer Token in the Authorization header
app.use((req, res, next) => {
  const auth = req.headers.authorization;
  if (!auth || !auth.startsWith('Bearer ')) {
    return res.status(401).send('Missing token');
  }
  req.token = auth.slice(7); // strip 'Bearer '
  next();
});

app.get('/fetch-and-extract', async (req, res) => {
  try {
    // The token is used to authenticate a request to a third‑party service
    const response = await axios.get('https://example.com/assets/plugin.zip', {
      headers: { Authorization: `Bearer ${req.token}` }
    });

    // Write the zip to a temporary file
    const tmpPath = '/tmp/plugin.zip';
    require('fs').writeFileSync(tmpPath, response.data);

    // Vulnerable extraction – no path validation
    const zip = new AdmZip(tmpPath);
    zip.extractAll('/var/www/plugins/', true); // <-- Zip Slip here

    res.send('Plugin installed');
  } catch (err) {
    res.status(500).send('Error');
  }
});

app.listen(3000);

If the attacker controls the contents of plugin.zip (for example, by compromising the third‑party service or by hosting a malicious zip under a URL that the token‑protected endpoint trusts), they can include an entry such as ../../../etc/passwd. When extractAll runs, the entry is written outside /var/www/plugins/, overwriting or creating arbitrary files on the host. Because the request that triggers the extraction is authenticated with a Bearer Token, the vulnerability is only reachable by a client that can present a valid token, making the issue a privileged‑access path‑traversal problem.

Bearer Tokens‑Specific Detection

Detecting this variant of Zip Slip requires looking for two correlated patterns:

  • The presence of a Bearer Token used to authenticate an outbound HTTP request that returns binary data (commonly a zip, tar, or similar archive).
  • Subsequent extraction of that data with a library that does not sanitize entry names (e.g., adm-zip, JSZip, unzipper, archiver, yauzl).

middleBrick’s Input Validation check scans the request/response flow for unauthenticated endpoints, but it also follows authenticated calls when a token is supplied in the request (the scanner can attach a dummy Bearer Token to test the endpoint). When it observes:

  1. An outbound request whose URL is built from user‑controlled input or a third‑party URL, authenticated with a Bearer Token header,
  2. The response body being written to a file and then passed to an extraction routine without any path‑sanitization logic,
  3. It flags a Zip Slip finding, annotating it with the specific line of code and the token‑usage context.

Because middleBrick works purely from the outside (black‑box), it does not need source code or agents; it simply sends a request with a Bearer Token, monitors whether the response contains an archive, and attempts to detect dangerous extraction signatures in the subsequent processing (e.g., by looking for known vulnerable library calls in the response timing or error messages). If the endpoint returns an error that reveals the extraction path, the scanner can confirm the presence of a traversal attempt.

Example of a finding that middleBrick might report:

Finding: Zip Slip (Path Traversal) – High Severity
Endpoint: GET /fetch-and-extract
Details: The endpoint authenticates with a Bearer Token, downloads a zip from https://example.com/assets/plugin.zip, and extracts it using adm‑zip without validating entry names. An attacker who controls the zip can write files outside the intended /var/www/plugins/ directory.
Remediation: Validate each entry’s resolved path stays within the target directory before extraction.

Bearer Tokens‑Specific Remediation

The fix focuses on two areas: safe handling of the Bearer Token and safe archive extraction. Below is a corrected version of the previous example.

const express = require('express');
const axios = require('axios');
const path = require('path');
const { promisify } = require('util');
const fs = require('fs');
const AdmZip = require('adm-zip');
const app = express();

app.use((req, res, next) => {
  const auth = req.headers.authorization;
  if (!auth || !auth.startsWith('Bearer ')) {
    return res.status(401).send('Missing token');
  }
  req.token = auth.slice(7);
  next();
});

// Helper to safely check if a resolved path stays inside baseDir
function isSafe(baseDir, targetPath) {
  const base = path.resolve(baseDir);
  const target = path.resolve(targetPath);
  return target.startsWith(base + path.sep) || target === base;
}

app.get('/fetch-and-extract', async (req, res) => {
  try {
    const response = await axios.get('https://example.com/assets/plugin.zip', {
      headers: { Authorization: `Bearer ${req.token}` }
    });

    const tmpPath = '/tmp/plugin.zip';
    fs.writeFileSync(tmpPath, response.data);

    const zip = new AdmZip(tmpPath);
    const extractDir = '/var/www/plugins/';

    // Iterate entries and validate each before extraction
    for (const entry of zip.getEntries()) {
      if (entry.isDirectory) continue; // directories are created automatically
      const entryPath = path.join(extractDir, entry.entryName);
      if (!isSafe(extractDir, entryPath)) {
        return res.status(400).send(`Unsafe entry detected: ${entry.entryName}`);
      }
    }

    // All entries are safe – now extract
    zip.extractAll(extractDir, true);
    res.send('Plugin installed safely');
  } catch (err) {
    console.error(err);
    res.status(500).send('Error');
  }
});

app.listen(3000);

Key changes:

  • The Bearer Token is still used to authenticate the outbound request, but it is never logged or exposed in error messages.
  • Before extracting each entry, the code computes the absolute path and ensures it resides inside the intended extraction directory using a whitelist‑style check (isSafe).
  • If any entry fails the check, the request is halted with a 400 response, preventing the Zip Slip.

Other language‑specific safe‑extraction patterns achieve the same goal:

  • Python: use tarfile or zipfile with os.path.normpath and verify os.path.commonpath.
  • Java: when using java.util.zip.ZipFile, call ZipEntry.getName(), resolve against the destination directory with java.nio.file.Paths, and confirm the resolved path starts with the base directory.
  • Go: with the archive/zip package, iterate Reader.File, use filepath.Join and filepath.Abs to check containment.

By combining proper token handling with rigorous path validation, the Zip Slip risk associated with Bearer Token‑authenticated archive downloads is eliminated.

Scan your API now Free API security scan

Frequently Asked Questions

Does middleBrick need a valid Bearer Token to test an endpoint for Zip Slip?
No. middleBrick can attach a placeholder Bearer Token header when scanning an endpoint. If the endpoint requires a real token to return the archive, the scanner will still detect the vulnerable extraction pattern by observing the response and any error messages that reveal unsafe path handling.
Can Zip Slip affect APIs that never return archives to the caller?
Yes. The vulnerability occurs when the server itself downloads and extracts an archive (e.g., a plugin, update, or third‑party asset) using a Bearer Token‑authenticated request. Even if the client never receives the archive, unsafe extraction on the server can lead to file system compromise.

Related Pages

Zip Slip in APIsLearn about Zip Slip directory traversal vulnerabilities in APIs, how attackers exploit archive extraction flaws, and coBearer Tokens API SecurityBearer tokens are the most common API authentication mechanism, but they're vulnerable to theft and misuse. Learn how thZip Slip on AzureZip Slip vulnerabilities in Azure environments allow path traversal attacks during ZIP extraction, potentially leading tZip Slip on AwsZip Slip vulnerabilities in Aws environments allow attackers to write files outside intended directories through malicioHipaa: Zip SlipLearn how Zip Slip vulnerabilities threaten HIPAA compliance in healthcare APIs, with specific detection patterns and coCis: Zip SlipLearn how Cis (Confusion of Identical Strings) enables Zip Slip exploits via inconsistent path normalization, with detecGdpr: Zip SlipLearn how Zip Slip vulnerabilities can lead to GDPR breaches by exposing personal data through unsafe archive extractionIso 27001: Zip SlipLearn how ISO 27001 controls relate to Zip Slip vulnerabilities in API file uploads, including detection with middleBricZip Slip in Django with Bearer TokensZip Slip in Django with Bearer Tokens: how token-derived paths enable traversal and secure remediation patterns using paZip Slip in Aspnet with Bearer TokensExplore Zip Slip in ASP.NET with Bearer Tokens: understand the combined risk and apply concrete code fixes using path saZip Slip in Buffalo with Bearer TokensLearn how Zip Slip in Buffalo combines with Bearer Tokens to expose path traversal risks, and apply concrete code fixes Zip Slip in Actix with Bearer TokensExplore Zip Slip in Actix with Bearer Tokens, understand the risk, and apply secure path resolution code examples for re