We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Given specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. The follow is an example of a malicious entry:
IO.unzip
+2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys
This would have a potential to overwrite /root/.ssh/authorized_keys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however many projects use IO.unzip(...) directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1
/root/.ssh/authorized_keys
pullRemoteCache
Resolvers.remote
IO.unzip(...)
The problem has been patched in sbt/io#360 sbt 1.9.7 is available with the fix.
A workaround might be use some other library to unzip.
Impact
Given specially crafted zip or JAR file,
IO.unzipallows writing of arbitrary file. The follow is an example of a malicious entry:This would have a potential to overwrite
/root/.ssh/authorized_keys. Within sbt's main code,IO.unzipis used inpullRemoteCachetask andResolvers.remote; however many projects useIO.unzip(...)directly to implement custom tasks - https://github.com/search?q=IO.unzip+language%3AScala&type=code&l=Scala&p=1Patches
The problem has been patched in sbt/io#360
sbt 1.9.7 is available with the fix.
Workarounds
A workaround might be use some other library to unzip.
References