📄 ddev/ddev ZipSlip Path Traversal

# CVE-2026-32885: ZipSlip Path Traversal in ddev/ddev Archive Extraction (CVSS 6.5 Moderate)
    
    [![GHSA](https://img.shields.io/badge/GHSA-x2xq--qhjf--5mvg-red)](https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg)
    [![CVE](https://img.shields.io/badge/CVE--2026--32885-orange)](https://www.cve.org/CVERecord?id=CVE-2026-32885)
    [![CVSS](https://img.shields.io/badge/CVSS-6.5%20Moderate-yellow)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
    [![Platform](https://img.shields.io/badge/Platform-gomod-blue)](https://pkg.go.dev/github.com/ddev/ddev)
    [![CWE](https://img.shields.io/badge/CWE--22-Path%20Traversal-purple)](https://cwe.mitre.org/data/definitions/22.html)
    
    **Keywords:** ZipSlip, path traversal, archive extraction, CWE-22, ddev, Go, tar, zip
    
    ---
    
    ## Table of Contents
    
    - [Overview](#overview)
    - [Vulnerability Details](#vulnerability-details)
    - [Technical Analysis](#technical-analysis)
    - [Attack Chain](#attack-chain)
    - [Impact](#impact)
    - [Remediation](#remediation)
    - [CVSS Metrics](#cvss-metrics)
    - [Timeline](#timeline)
    - [References](#references)
    - [Contact](#contact)
    - [Disclaimer](#disclaimer)
    
    ---
    
    ## Overview
    
    A ZipSlip path traversal vulnerability exists in [ddev/ddev](https://github.com/ddev/ddev) (3K+ stars), a popular open-source local development tool for PHP, Python, and Node.js projects. Both the `Untar()` and `Unzip()` functions in `pkg/archive/archive.go` use `filepath.Join(dest, file.Name)` without any path containment validation, allowing a crafted archive to write files to arbitrary locations on a developer machine.
    
    ddev downloads and extracts archives from remote sources for add-ons, database imports (`ddev import-db`), and file imports (`ddev import-files`), making this a realistic attack vector through supply chain or social engineering scenarios.
    
    ---
    
    ## Vulnerability Details
    
    | Field | Value |
    |-------|-------|
    | **Advisory** | [GHSA-x2xq-qhjf-5mvg](https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg) |
    | **CVE** | [CVE-2026-32885](https://www.cve.org/CVERecord?id=CVE-2026-32885) |
    | **CWE** | [CWE-22: Improper Limitation of a Pathname to a Restricted Directory](https://cwe.mitre.org/data/definitions/22.html) |
    | **CVSS Score** | 6.5 (Moderate) |
    | **Package** | github.com/ddev/ddev (Go) |
    | **Affected Versions** | <= latest (all versions) |
    | **Patched Version** | None (fix in progress) |
    | **Component** | `pkg/archive/archive.go` |
    
    ---
    
    ## Technical Analysis
    
    ### Vulnerable Code
    
    Both `Untar()` and `Unzip()` functions in `pkg/archive/archive.go` construct output paths by directly joining the destination directory with the archive entry name, without any sanitization or containment check.
    
    **`pkg/archive/archive.go:235` (Untar):**
    
    ```go
    fullPath := filepath.Join(dest, file.Name)  // NO SANITIZATION
    ```
    
    **`pkg/archive/archive.go:342` (Unzip):**
    
    ```go
    fullPath := filepath.Join(dest, file.Name)  // NO SANITIZATION
    ```
    
    Both functions then create directories via `os.MkdirAll` and files via `os.Create` using the unsanitized path.
    
    ### The Core Issue
    
    Go's `filepath.Join()` resolves `../` sequences in the joined path. When an archive entry has a name like `../../../tmp/malicious`, the resulting `fullPath` escapes the intended destination directory:
    
    ```go
    // Example:
    // dest = "/safe/extract/dir"
    // file.Name = "../../../tmp/malicious"
    // filepath.Join(dest, file.Name) = "/tmp/malicious"  // ESCAPED!
    ```
    
    ### Secure Pattern (Missing)
    
    The fix requires a path containment check after `filepath.Join`:
    
    ```go
    fullPath := filepath.Join(dest, file.Name)
    if !strings.HasPrefix(filepath.Clean(fullPath), filepath.Clean(dest) + string(os.PathSeparator)) {
        return fmt.Errorf("entry %q escapes destination directory", file.Name)
    }
    ```
    
    ---
    
    ## Attack Chain
    
    ```
    +----------------------------------------------------------+
    |  1. CRAFT MALICIOUS ARCHIVE                              |
    |     Tar/zip with ../../../ path traversal entries         |
    +---------------------------+------------------------------+
                                |
                                v
    +----------------------------------------------------------+
    |  2. DELIVER TO DEVELOPER                                 |
    |     - Malicious ddev add-on                              |
    |     - Compromised database dump (ddev import-db)         |
    |     - Trojan file archive (ddev import-files)            |
    +---------------------------+------------------------------+
                                |
                                v
    +----------------------------------------------------------+
    |  3. DDEV EXTRACTS ARCHIVE                                |
    |     Untar()/Unzip() calls filepath.Join(dest, file.Name) |
    |     No path containment check                            |
    +---------------------------+------------------------------+
                                |
                                v
    +----------------------------------------------------------+
    |  4. ARBITRARY FILE WRITE                                 |
    |     Files written outside extraction directory            |
    |     Overwrite configs, inject code, plant backdoors      |
    +----------------------------------------------------------+
    ```
    
    ---
    
    ## Impact
    
    | Aspect | Description |
    |--------|-------------|
    | **Direct Impact** | Arbitrary file write on developer machines |
    | **Attack Surface** | ddev add-ons, `ddev import-db`, `ddev import-files` |
    | **Supply Chain Risk** | Malicious add-ons can overwrite project files or system configs |
    | **Social Engineering** | Database dumps from compromised staging/colleague/client |
    | **Affected Users** | 3K+ GitHub stars, widely used in PHP/Drupal/WordPress development |
    
    The maintainer (rfay) confirmed the risk extends beyond add-on installs to include `ddev import-db` (user-supplied database archives) and `ddev import-files` (user-supplied file archives), where developers have no reason to suspect malicious content.
    
    ---
    
    ## Remediation
    
    **For ddev maintainers:**
    - Add path containment checks after `filepath.Join` in both `Untar()` and `Unzip()` functions
    - Verify `filepath.Clean(fullPath)` is prefixed by `filepath.Clean(dest)` + path separator
    - For symlinks in tar archives: resolve link targets and apply the same containment check
    - Add tests covering `../` traversal in file entries, symlink targets, and absolute symlink targets
    
    **For ddev users:**
    - Only use add-ons from trusted sources
    - Only import database dumps and file archives from verified origins
    - Monitor for unexpected file changes after running import commands
    
    ---
    
    ## CVSS Metrics
    
    **Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
    
    | Metric | Value | Rationale |
    |--------|-------|-----------|
    | Attack Vector | Network | Malicious archives delivered remotely |
    | Attack Complexity | Low | Standard ZipSlip payload construction |
    | Privileges Required | None | No authentication needed |
    | User Interaction | Required | Developer must extract the archive |
    | Scope | Unchanged | Impact stays within developer machine |
    | Confidentiality | None | Write-only primitive |
    | Integrity | High | Arbitrary file write anywhere on filesystem |
    | Availability | None | No denial of service |
    
    ---
    
    ## Timeline
    
    | Date | Event |
    |------|-------|
    | 2026-03-10 | Vulnerability reported via GitHub PVRT |
    | 2026-03-10 | Maintainer (rfay) acknowledged and confirmed the vulnerability |
    | 2026-03-15 | CVE requested by stasadev |
    | 2026-03-17 | CVE-2026-32885 assigned by GitHub |
    
    ---
    
    ## References
    
    - [GHSA-x2xq-qhjf-5mvg](https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg)
    - [CVE-2026-32885](https://www.cve.org/CVERecord?id=CVE-2026-32885)
    - [CWE-22: Improper Limitation of a Pathname to a Restricted Directory](https://cwe.mitre.org/data/definitions/22.html)
    - [Snyk ZipSlip Research](https://security.snyk.io/research/zip-slip-vulnerability)
    
    ---
    
    ## Contact
    
    - **Website:** [snailsploit.com](https://snailsploit.com)
    - **GitHub:** [@SnailSploit](https://github.com/SnailSploit)
    - **LinkedIn:** [/in/kaiaizen](https://linkedin.com/in/kaiaizen)
    
    ---
    
    ## Disclaimer
    
    This advisory is published for educational and defensive purposes under responsible disclosure principles. The information provided is intended to help developers and security teams understand and remediate the vulnerability. Do not use this information for unauthorized testing or malicious purposes.