HIGH zip slipaspnetdynamodb

Zip Slip in Aspnet with Dynamodb

Scan for zip slip in aspnet

Zip Slip in Aspnet with Dynamodb — how this specific combination creates or exposes the vulnerability

Zip Slip is a path traversal vulnerability that occurs when an archive (for example a ZIP file) is extracted without sanitizing member paths. In an ASP.NET application that stores or processes user-supplied archives and interacts with Amazon DynamoDB, the risk expands across storage, metadata handling, and downstream data retrieval.

Consider an endpoint that accepts a ZIP upload, extracts it to a temporary directory, and then writes extracted file metadata (such as original filename, size, and a user-supplied key) into a DynamoDB table. If the ZIP contains entries like ../../../etc/passwd, a malicious archive can traverse outside the intended extraction root. When the application later uses the extracted path or the user-supplied key to construct a DynamoDB key (partition key/sort key), it may inadvertently expose or overwrite items that belong to other users or system data.

DynamoDB does not perform filesystem operations, so the traversal happens in the local extraction logic; however, the impact is realized when crafted keys or object references are stored in DynamoDB. For example, an attacker could cause the application to write an item with a key that maps to another user’s data, enabling unauthorized reads or writes if authorization checks are incomplete. In addition, crafted filenames can lead to inconsistent states when the application uses DynamoDB conditional writes or versioning, because the item keys or attribute values may not match the expected application model.

Because middleBrick scans the unauthenticated attack surface, it can detect unsafe extraction patterns and insecure usage of DynamoDB keys in API request surfaces. It checks inputs such as archive handling routines and parameter construction that feeds into DynamoDB operations, identifying issues like missing path normalization and missing authorization on key formation. Findings include guidance to validate and sanitize archive entries and to enforce strict key construction that isolates tenant or user context.

Dynamodb-Specific Remediation in Aspnet — concrete code fixes

To mitigate Zip Slip when ASP.NET interacts with DynamoDB, focus on three areas: secure archive extraction, strict key construction, and safe DynamoDB client usage. Below are concrete, realistic examples using the AWS SDK for .NET.

1. Secure ZIP extraction with path validation

Always resolve and validate each entry path against a defined extraction root. This prevents directory traversal regardless of the archive content.

using System.IO.Compression;

public static void ExtractZipSafe(string zipPath, string destinationFolder)
{
    using var archive = ZipFile.OpenRead(zipPath);
    foreach (var entry in archive.Entries)
    {
        var resolvedPath = Path.GetFullPath(Path.Combine(destinationFolder, entry.FullName));
        if (!resolvedPath.StartsWith(Path.GetFullPath(destinationFolder), StringComparison.Ordinal))
        {
            throw new SecurityException("Invalid path in archive: " + entry.FullName);
        }
        entry.ExtractToFile(resolvedPath, overwrite: true);
    }
}

2. Safe DynamoDB key construction

Do not directly use extracted or user-controlled values as DynamoDB keys. Derive keys using a tenant or user scope and a stable identifier, and avoid concatenating raw filenames into keys or key attribute values.

using Amazon.DynamoDBv2.DataModel;

public class FileRecord
{
    [DynamoDBHashKey]
    public string UserId { get; set; }
    [DynamoDBRangeKey]
    public string FileId { get; set; }
    public string OriginalName { get; set; }
    public long Size { get; set; }
}

public static string BuildFileId(Guid rawFileId)
{
    // Do not use raw filename; use a GUID or other safe identifier
    return rawFileId.ToString();
}

// Usage when writing to DynamoDB:
var record = new FileRecord
{
    UserId = "tenant123_user456",
    FileId = BuildFileId(Guid.NewGuid()),
    OriginalName = SafeFileName(originalName),
    Size = new FileInfo(filePath).Length
};

3. Parameterized writes and conditional checks

Use DynamoDBContext’s SaveAsync and conditional expressions to avoid accidental overwrites that could be abused via malicious keys. Combine this with authorization checks that verify ownership on every request.

var config = new DynamoDBOperationConfig
{
    ConditionalOperator = ConditionOperator.Null
};
await context.SaveAsync(record, config);

middleBrick’s checks can validate that your extraction logic normalizes paths and that key-building routines do not expose directory traversal vectors. Its findings map to OWASP API Top 10:2023 A05:2021 (Broken Function Level Authorization) and A03:2021 (Injection) when malformed inputs affect DynamoDB key construction.

Scan for zip slip in aspnet Free API security scan

Frequently Asked Questions

How does middleBrick detect Zip Slip risks involving DynamoDB in ASP.NET APIs?
middleBrick runs parallel security checks including Input Validation and Property Authorization. It analyzes request parameters that influence file extraction and DynamoDB key formation, identifying missing path sanitization and unsafe key usage without requiring authentication.
Can the scan findings help meet compliance requirements when ASP.NET apps use DynamoDB?
Yes. Findings align with OWASP API Top 10, and the reports map to frameworks such as PCI-DSS, SOC2, and GDPR. The Pro plan’s continuous monitoring can track these findings over time within your compliance workflow.

Related Pages

Zip Slip in AspnetZip Slip vulnerabilities in Aspnet allow attackers to write files outside intended directories. Learn Aspnet-specific atZip Slip in DynamodbZip Slip vulnerabilities in DynamoDB environments allow path traversal attacks through untrusted ZIP archives. Learn detZip Slip in Aspnet on AwsUnderstand Zip Slip in Aspnet on Aws and apply concrete extraction safeguards with code examples and middleBrick scanninZip Slip in Aspnet on DigitaloceanUnderstand and remediate Zip Slip in Aspnet on Digitalocean with secure extraction patterns and code examples.Hipaa: Zip Slip in AspnetExplore Zip Slip in ASP.NET under HIPAA: understand the risk and apply concrete path validation fixes with code examplesGdpr: Zip Slip in AspnetExplore GDPR risks in Zip Slip with ASP.NET, understand path traversal impacts, and apply concrete code fixes for secureIso 27001: Zip Slip in AspnetExplore Zip Slip in ASP.NET under ISO 27001: learn risk context and apply secure extraction fixes with concrete code exaZip Slip in Aspnet with Bearer TokensExplore Zip Slip in ASP.NET with Bearer Tokens: understand the combined risk and apply concrete code fixes using path saZip Slip in Aspnet with Mutual TlsExploring Zip Slip in ASP.NET with Mutual TLS: how mTLS changes trust but not validation, plus secure extraction patternCis: Zip Slip in AspnetExplore Zip Slip in ASP.NET APIs, understand CIS-related risks, and apply concrete code fixes to prevent path traversal.Zip Slip in Aspnet with Hmac SignaturesExplore Zip Slip in ASP.NET with Hmac Signatures: understand the combined risk and apply concrete Hmac verification plusZip Slip in Aspnet with Basic AuthExplains Zip Slip in ASP.NET with Basic Auth and provides Basic Auth-specific remediation and secure extraction code exa