Zip Slip in Aspnet with Hmac Signatures

Zip Slip is a path traversal vulnerability that occurs when an archive (for example, a ZIP file) contains entries with malicious paths such as ../../../etc/passwd. When an ASP.NET application extracts user-supplied archives without validating or sanitizing member paths, it can write files outside the intended directory. Combining this with Hmac Signatures introduces a subtle but critical trust boundary issue: the application may cryptographically verify a payload (e.g., a request or a downloaded archive) with an Hmac, then proceed to extract or act on that payload without re-validating path safety.

Consider a scenario where an ASP.NET service downloads a ZIP file from a URL, verifies its integrity using an Hmac passed in a header, and then extracts the archive. The Hmac ensures the content has not been tampered with in transit, but it does not guarantee the content is safe. If the service skips path canonicalization and allows absolute paths or sequences like ../../malicious.dll, an attacker who can influence the archive contents (or the URL used to fetch it) can leverage the verified Hmac to bypass integrity checks and achieve arbitrary file write on the server. This is a classic case where cryptographic verification is mistakenly assumed to imply safety of the extracted artifact.

In the context of the 12 security checks run by middleBrick, this pattern would surface under Property Authorization and Input Validation, with potential cross-reference to BOLA/IDOR when archive contents are tied to user identifiers. The scan would note that Hmac verification does not replace safe extraction practices, and it would highlight the absence of path sanitization as a high-severity finding. Attack patterns like CVE-2018-1000656 illustrate how Zip Slip can lead to remote code execution or privilege escalation when extracted files overwrite critical system binaries or configuration files.

To remediate Zip Slip in ASP.NET while using Hmac Signatures, you must enforce strict path validation and canonicalization before any extraction, independent of the Hmac verification. Hmac should be used to ensure integrity and authenticity of the data source, but integrity does not equate to safety of file paths. Below are concrete code examples showing how to combine Hmac verification with safe archive extraction in ASP.NET.

First, verify the Hmac on the incoming payload (e.g., request body or downloaded file). Then, validate and sanitize each entry path before extracting. Use Path.GetFullPath combined with a rooted extraction directory and ensure the normalized path remains within that directory. The following C# example demonstrates this approach in an ASP.NET Core controller:

using System.IO; using System.Security.Cryptography; using Microsoft.AspNetCore.Mvc;  public class ArchiveController : Controller {     private const string AllowedRoot = "C:\SafeExtraction";     private static readonly byte[] SecretKey = System.Text.Encoding.UTF8.GetBytes("your-256-bit-secret");      [HttpPost("upload")]     public IActionResult Upload(IFormFile archive)     {         if (archive == null || archive.Length == 0)             return BadRequest("Archive required");          // Step 1: Verify Hmac on the payload         if (!VerifyHmac(archive, Request.Headers["X-Archive-Hmac"]))             return Unauthorized("Invalid Hmac");          using var stream = archive.OpenReadStream();         using var archiveReader = new System.IO.Compression.ZipArchive(stream, System.IO.Compression.ZipArchiveMode.Read);          foreach (var entry in archiveReader.Entries)         {             // Step 2: Canonicalize and validate path             var fullPath = Path.GetFullPath(Path.Combine(AllowedRoot, entry.FullName));             if (!fullPath.StartsWith(AllowedRoot, StringComparison.OrdinalIgnoreCase))                 return BadRequest("Invalid path traversal");              // Step 3: Safe extraction             entry.ExtractToFile(fullPath, overwrite: false);         }         return Ok("Extraction safe");     }      private static bool VerifyHmac(IFormFile data, string receivedHmac)     {         if (string.IsNullOrEmpty(receivedHmac))             return false;          using var hmac = new HMACSHA256(SecretKey);         using var stream = data.OpenReadStream();         var hash = hmac.ComputeHash(stream);         var computed = Convert.ToBase64String(hash);         return computed == receivedHmac;     } }

In this example, VerifyHmac ensures the payload has not been altered, while the path checks prevent Zip Slip by confining extraction to AllowedRoot. This pattern aligns with the principle that Hmac Signatures provide integrity, but you must still enforce authorization and input validation on file paths. For production, consider additional hardening such as disallowing entries with absolute paths, forbidding paths containing parent directory sequences, and using Path.GetRelativePath to assert containment.

middleBrick’s scans will flag missing path canonicalization and missing validation even when Hmac is present, because the security checks run in parallel and do not assume cryptographic guarantees replace safe coding practices. Use the CLI (middlebrick scan <url>) or the GitHub Action to enforce these patterns in CI/CD, ensuring that any API or service accepting archives applies both integrity and path-safety checks.