Zip Slip in Buffalo with Jwt Tokens
Zip Slip in Buffalo with Jwt Tokens — how this specific combination creates or exposes the vulnerability
Zip Slip is a path traversal vulnerability that occurs when an archive extraction uses user-supplied paths without proper validation. In the Buffalo web framework for Go, this risk can intersect with JSON Web Token (Jwt) handling when tokens are extracted from archives or when an API endpoint both processes uploads and issues Jwt-based authentication. Because Buffalo encourages rapid routing and parameter binding, developers may inadvertently pass unchecked filename parameters to archive extractors while also using Jwt tokens for session or claims validation. If an attacker uploads a crafted archive containing files with paths like ../../../etc/passwd, and the server extracts it into a sensitive location while also parsing a Jwt token from a header or cookie, the combination can expose directory traversal and authentication bypass risks.
Consider a scenario where Buffalo serves an endpoint that accepts a ZIP file and a Jwt token, extracts the archive, and uses claims from the token to determine target ownership. If the extraction logic does not sanitize filenames, an archive containing a file named ../../claims.json can overwrite or read files outside the intended directory. Meanwhile, the Jwt token, possibly passed in an Authorization header as a bearer token, might be validated with incomplete checks (e.g., missing audience or issuer validation). This overlap means an attacker can manipulate file paths to access or replace configuration or token material, while the Jwt token’s trust model is undermined by path-based confusion. Even if the Jwt token itself is cryptographically sound, the surrounding file handling logic can leak or corrupt data due to traversal, effectively exposing the token’s context or the resources it protects.
middleBrick’s security checks can detect such interactions during a scan. By testing the unauthenticated attack surface, it can identify path traversal indicators in file upload or archive handling endpoints and correlate them with Jwt token usage patterns. For example, an endpoint that both accepts file uploads and requires a Jwt token might receive a low score if traversal risks are present alongside weak token validation. The scan’s checks for Input Validation and Property Authorization highlight whether path sanitation is enforced, while the Data Exposure and Unsafe Consumption checks reveal whether Jwt tokens are transmitted or stored insecurely. Although middleBrick does not fix the issue, its findings provide prioritized remediation guidance to address the combined vector before it can be exploited.
Jwt Tokens-Specific Remediation in Buffalo — concrete code fixes
To remediate Zip Slip risks in Buffalo when Jwt tokens are involved, secure file extraction and token validation independently and never rely on a single control. For file handling, always sanitize filenames and use a whitelist of allowed paths. Use Go’s path/filepath utilities to clean and restrict destinations. For Jwt tokens, validate standard claims, enforce issuer and audience checks, and avoid accepting tokens from untrusted sources. Below are concrete code examples demonstrating both fixes in a Buffalo endpoint.
Secure file extraction with path sanitization
Ensure extracted files cannot escape the intended directory:
import (
"archive/zip"
"io"
"os"
"path/filepath"
)
func safeExtractZip(src, destDir string) error {
r, err := zip.OpenReader(src)
if err != nil {
return err
}
defer r.Close()
for _, f := range r.File {
// Clean and restrict path
upath := filepath.Clean(f.Name)
if upath == ".." || len(upath) > 0 && upath[:2] == ".." {
return ErrBadFilename
}
// Ensure the path remains inside destDir
target := filepath.Join(destDir, upath)
if !isWithin(target, destDir) {
return ErrBadFilename
}
if f.FileInfo().IsDir() {
os.MkdirAll(target, f.Mode())
continue
}
if err := os.MkdirAll(filepath.Dir(target), f.Mode()); err != nil {
return err
}
srcFile, err := f.Open()
if err != nil {
return err
}
defer srcFile.Close()
dstFile, err := os.OpenFile(target, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
if err != nil {
return err
}
defer dstFile.Close()
if _, err = io.Copy(dstFile, srcFile); err != nil {
return err
}
}
return nil
}
func isWithin(path, root string) bool {
rel, err := filepath.Rel(root, path)
if err != nil {
return false
}
return len(rel) == 0 || rel[:2] != ".." && !isAbs(rel)
}
func isAbs(p string) bool {
return filepath.IsAbs(p)
}
Jwt token validation with strict claims checks
Validate tokens using a verified issuer and audience, and avoid accepting unsigned tokens:
import (
"context"
"github.com/golang-jwt/jwt/v5"
)
func validateToken(raw, issuer, audience string) (jwt.MapClaims, error) {
token, err := jwt.Parse(raw, func(token *jwt.Token) (interface{}, error) {
// Ensure signing method is as expected
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil := fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return []byte("your-secret-key"), nil
})
if err != nil {
return nil, err
}
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
// Enforce issuer and audience
if iss, ok := claims["iss"].(string); !ok || iss != issuer {
return nil := fmt.Errorf("invalid issuer")
}
if aud, ok := claims["aud"].(string); !ok || aud != audience {
return nil := fmt.Errorf("invalid audience")
}
return claims, nil
}
return nil := fmt.Errorf("invalid token")
}
// Example usage in a Buffalo action
func (v AuthController) Login(c buffalo.Context) error {
raw := c.Param("token")
claims, err := validateToken(raw, "my-issuer", "my-audience")
if err != nil {
return c.Render(401, r.JSON(map[string]string{"error": "invalid_token"}))
}
// Proceed with user lookup using claims["sub"]
return c.Render(200, r.JSON(claims))
}
By combining strict path sanitation and Jwt validation, Buffalo applications can mitigate Zip Slip risks even when tokens are present. Use middleBrick’s scans to verify that endpoints handling both archives and Jwt tokens do not leak paths or accept malformed tokens.