Skip to content

Case Study: Path Traversal (Zip Slip) in Plexus Archiver – CVE-2018-1002200 #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Mrunal1Patil wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Case Study: Path Traversal (Zip Slip) in Plexus Archiver – CVE-2018-1002200 #27

Mrunal1Patil wants to merge 1 commit into from

Conversation

@Mrunal1Patil
Copy link

@Mrunal1Patil Mrunal1Patil commented Dec 1, 2025

“Zip Slip Vulnerability in File Extraction”.

The case study includes:

  • Overview of Path Traversal (CWE-22)
  • Description of CVE-2018-1002200 in Plexus Archiver
  • Vulnerable source code from Plexus Archiver 3.5
  • Example of how a fake ZIP file can be used to exploit the bug.
  • Fixed code from Plexus Archiver 3.6.0 (canonical path validation)
  • Prevention guidelines and secure coding practices
  • Full references and contributions section

This submission is part of a secure coding course assignment.

@Mrunal1Patil
Create msccs-7.md
f9badc4 
Add case study: Path Traversal (Zip Slip) in Plexus Archiver (Issue mitre#7)
@continue
Copy link

continue bot commented Dec 1, 2025

Keep this PR in a mergeable state →

Learn more

All Green is an AI agent that automatically:

✅ Addresses code review comments

✅ Fixes failing CI checks

✅ Resolves merge conflicts

@stevechristeycoley
Copy link
Collaborator

stevechristeycoley commented Dec 13, 2025

Automated Analysis Results of This Use Case

Thank you for providing your use case! Apologies for the form letter, but it's a pleasure to see y'all :)

With technical knowledge work such as this project, it is important to structure information as well as possible, so that it can be processed automatically.

We also want to validate our inputs ;-)

So, this report contains the results of an automated analysis of the provided use case, looking for consistency with the documented format as covered in Section 3 "Case Study Structure" of the Style Guide.

Disclaimers:

  • David Wheeler may provide guidance on how to handle these reports. We're grateful that you've put in this work already, and we don't want to burden you unnecessarily 'cuz you're probably busy :)
  • Our style guide was not always 100% clear (as often happens early in technical knowledge work), so this analysis attempts to automatically resolve potential inconsistencies.
  • This report is provided as a convenience. There may be some errors or omissions in this report.
  • We will conduct deeper analysis at a later time.

Items are prioritized from Informative, Low, Medium, to High in terms of current importance to the project.

Analyzing Presence of Markdown

Markdown detected in the document.

Parser Issues

The following issues were encountered by the parser used to analyze this file. This might explain potential errors and false positives in the subsequent analysis.

  • [Info] Inferring that line 1 contains the title

Section Analysis

  • [Info] 0 major section-name issues detected.
  • [Med] Section 'Introduction' is expected to have 3 hash marks, but it has 2
  • [Med] Section 'Software' is expected to have 3 hash marks, but it has 2
  • [Med] Section 'Weakness' is expected to have 3 hash marks, but it has 2
  • [Med] Section 'Vulnerability' is expected to have 3 hash marks, but it has 2
  • [Med] Section 'Exploit' is expected to have 3 hash marks, but it has 2
  • [Med] Section 'Fix' is expected to have 3 hash marks, but it has 2
  • [Med] Section 'Prevention' is expected to have 3 hash marks, but it has 2
  • [Med] Section 'Conclusion' is expected to have 3 hash marks, but it has 2
  • [Med] Section 'References' is expected to have 3 hash marks, but it has 2
  • [Med] Section 'Contributions' is expected to have 3 hash marks, but it has 2

Analyzing Title Section

Note: the analysis may be incorrect depending on how
you provided the title. This an issue with the analyzer.

Inferred/Extracted Title begins with text: 'Title : Path Traversal (Zip Slip) in Plexus Archiv...'

  • [Low] Title does not contain only capital letters
  • [Med] Title contains more than 8 words (longer than the recommended 4 to 6)

Analyzing Introduction Section

No issues found.

Analyzing Software Section

No issues found.

Analyzing Weakness Section

No issues found.

Analyzing Vulnerability Section

No issues found.

Analyzing Fix Section

No issues found.

Analyzing References Section

No issues found.

@stevechristeycoley
Copy link
Collaborator

stevechristeycoley commented Dec 23, 2025

This is a brief checklist for review of this writeup for possible
inclusion in the Secure Coding Case Studies work.

Review Information

Metadata Info
Author Mrunal Pradeep Patil
Reviewer Steve Christey Coley
Start Date 2025-12-16 23:46:00
End Date 2025-12-17 01:00:00
PR #27
PR Access Date 2025-12-14 19:05:00
Issue #7
File(s) msccs-7.md
Recommendation potential MSCCS inclusion with major edits; consideration for CWE

Review Summary

CWE - sample code for the Weakness might be useful for a demonstrative
example.

Some of the Vulnerability writeup could be helpful as a demonstrative
example.

Random CWE/Vuln-Theory comment: the fix involves canonicalization and
"starts-with" string comparisons. Why haven't software/framework
defenses evolved to the point where one could "resolve" a pathname to
only exist within a specific directory/folder, kinda like
parameterizaton but for file access? Ask Prof. Wheeler or somebody
else who's cared about systematic software security for years. I want
to know.

References - the link for the "Contains Vulnerable Code" reference
doesn't point directly to the commit, but instead to the tags for a
specific version, including multiple bugs. Specific commits are
strongly preferred.

Recommendation: potential for inclusion in SCCS, with extensive
edits. Potential for inclusion in CWE for Observed Example or
Demonstrative Example.

Case Study Structure

  • writeup follows "Case Study Structure" recommendations without significant errors

Case Study Selection

  • CVE
    • CVE ID clearly identified
    • CVE ID follows correct ID syntax
    • CVE is sufficiently recent
    • issue has been fixed
  • Detailed reference(s)
    • vulnerable source code available
    • fixed source code available
    • code is properly licensed to be made public
    • (preferred) articles about exploitation

Case Study Contents

Title

  • not too vague
  • not too technical
  • typically follows: <Weakness/Exploit Type> In <Software Name>
  • generally between 4 and 6 words
  • all caps

Introduction

  • typically one paragraph
  • issue and consequences in first sentence or two
  • weakness type, possibly including position in Top 25
  • sentence introducing the software application
  • scope of the case study

Software

  • has Name
    • include vendor name if applicable
    • avoid version numbers (in this field)
  • has Language
  • has URL (typically on GitHub if open source)

Weakness

  • cites appropriate CWE ID and name
  • one to two paragraphs long
  • does not discuss the actual vulnerable code
  • does not refer to the real software

Vulnerability

  • CVE ID listed at the beginning
  • discuss what the affected software is used for
  • Code walk-through
    • calls out specific lines with language like "On line 123 ..."
    • calls out specific variables/inputs
    • includes "vulnerable file:" label and filename
    • follows "fenced code block" formatting
    • only cites source code that is necessary to the weakness
    • uses "..." to skip multiple lines of irrelevant source code
    • avoids exploit details

Exploit

  • explain how the vulnerability is/was exploited and the consequences
  • lists relevant CAPEC ID (if available)
  • typically one to three paragraphs in length; could be longer with complex exploits
  • when available, shows how certain inputs drive the exploit and how it works through the code

Fix

  • describes how the weakness was fixed
  • focuses only on the changes related to the weakness
  • code follows "fenced code block" formatting
  • includes "fixed file:" label and filename
  • uses ```diff construct to highlight the diff

Prevention

  • provides enough detail for the reader to implement the suggestions
  • includes relevant secure coding practices
  • includes mechanisms of identification e.g. tools
  • typically a few paragraphs long

Conclusion

  • brief summary of the case study (1 to 2 paragraphs long)
  • avoids any new information

References

  • name/URL of software page
  • name/URL of the CVE
  • name/URL of the CWE(s)
  • name/URL of the CAPEC(s)
  • name/URL of vendor's vuln report
  • (if possible) name/URL of the specific code commit with the fix
  • name/URL of any article that helped inform the case study
  • no unusual/unexpected claims, or backed up by references
  • (if available) name/URL for any foundational tutorial or best practice guide
  • avoids listing all possible references

Contributors

  • credits significant contributors
  • includes original creator and reviewer(s)

Images/Diagrams (Optional)

  • helps the reader understand a complex topic
  • typically 0 to 2 images; no fixed rule

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mrunal1Patil @stevechristeycoley