Archive Extraction with Safety
Extract ZIP files and other archives safely without zip-slip vulnerabilities. This example shows how PathBoundary detects and rejects malicious archive entries.
The Problem
Archive extractors are vulnerable to zip-slip attacks where malicious archives contain entries like:
- ❌
../../../etc/passwd- Escapes to system files - ❌
..\\..\\windows\\system32\\evil.exe- Escapes on Windows - ❌ Symlinks pointing outside the extraction directory
The Solution: Choose Based on Your Use Case
Production Archive Extraction: Use PathBoundary to Detect Attacks
Use PathBoundary for production archive extraction. This detects malicious paths and allows you to:
- Log the attack attempt
- Reject the entire archive as compromised
- Alert administrators
- Take appropriate security action
When extracting archives in production:
- Escape attempts indicate a malicious archive
- You want to detect and reject the archive, not silently hide the attack
- The archive should be quarantined or deleted
- Users/admins should be alerted to the attempted attack
PathBoundary returns Err(PathEscapesBoundary) so you can handle the security event appropriately.
Research/Sandbox: Use VirtualRoot to Safely Analyze
Use VirtualRoot when analyzing suspicious archives in a controlled environment:
- Malware analysis and security research
- Safely studying attack techniques
- Observing malicious behavior while containing it
- Testing archive parsing without risk
In research scenarios, you want to see what the malicious archive tries to do, but safely contained within a virtual boundary.
Recommended Patterns
- ✅ Use
create_parent_dir_all()before writes to avoid race conditions - ✅ Always join via
virtual_join()orstrict_join()- never concatenate paths manually - ✅ Treat absolute, UNC, drive-relative, or namespace-prefixed paths as untrusted
- ✅ On Windows, NTFS Alternate Data Streams (ADS) like
"file.txt:stream"are handled safely
Anti-Patterns (Don’t Do This)
- ❌ Building paths with
format!/push/joinonstd::path::Pathwithout validation - ❌ Stripping
"../"by string replacement - ❌ Allowing absolute paths through to the OS
- ❌ Treating encoded/unicode tricks (URL-encoded, dot lookalikes) as pre-sanitized
Complete Example with PathBoundary
use strict_path::{PathBoundary, StrictPath};
use std::fs;
use std::io::Write;
struct SafeArchiveExtractor {
extraction_dir: PathBoundary,
}
impl SafeArchiveExtractor {
fn new(extract_to: &str) -> Result<Self, Box<dyn std::error::Error>> {
let extraction_dir = PathBoundary::try_new_create(extract_to)?;
Ok(Self { extraction_dir })
}
fn extract_entry(&self, entry_path: &str, content: &[u8]) -> Result<StrictPath, Box<dyn std::error::Error>> {
// This automatically prevents zip-slip attacks
let safe_path = self.extraction_dir.strict_join(entry_path)?;
// Create parent directories and write the file
safe_path.create_parent_dir_all()?;
safe_path.write(content)?;
println!("📦 Extracted: {entry_path} -> {}", safe_path.strictpath_display());
Ok(safe_path)
}
fn extract_mock_zip(&self) -> Result<Vec<StrictPath>, Box<dyn std::error::Error>> {
// Simulate extracting a ZIP file with various entries
let entries = vec![
("readme.txt", b"Welcome to our software!" as &[u8]),
("src/main.rs", b"fn main() { println!(\"Hello!\"); }"),
("docs/api.md", b"# API Documentation"),
("config/settings.json", b"{ \"debug\": true }"),
// These malicious entries would be automatically blocked:
// ("../../../etc/passwd", b"hacked"), // ❌ Blocked!
// ("..\\windows\\system32\\evil.exe", b"malware"), // ❌ Blocked!
// ("/absolute/path/hack.txt", b"bad"), // ❌ Blocked!
];
let mut extracted_files = Vec::new();
for (entry_path, content) in entries {
match self.extract_entry(entry_path, content) {
Ok(safe_path) => extracted_files.push(safe_path),
Err(e) => println!("⚠️ Blocked malicious entry '{}': {}", entry_path, e),
}
}
Ok(extracted_files)
}
}
fn main() -> Result<(), Box<dyn std::error::Error>> {
let extractor = SafeArchiveExtractor::new("extracted_files")?;
println!("🗃️ Extracting archive safely...");
let extracted = extractor.extract_mock_zip()?;
println!("\n✅ Successfully extracted {} files:", extracted.len());
for file in &extracted {
println!(" 📄 {}", file.strictpath_display());
}
// Verify we can read the extracted files
for file in &extracted {
if file.strictpath_extension().and_then(|s| s.to_str()) == Some("txt") {
let content = file.read_to_string()?;
println!("📖 {}: {}", file.strictpath_display(), content.trim());
}
}
Ok(())
}Handling Malicious Archives
When a malicious path is detected, you should:
#![allow(unused)]
fn main() {
fn extract_entry_with_security(
extraction_dir: &PathBoundary,
entry_path: &str,
content: &[u8],
) -> Result<StrictPath, Box<dyn std::error::Error>> {
match extraction_dir.strict_join(entry_path) {
Ok(safe_path) => {
// Valid path - extract normally
safe_path.create_parent_dir_all()?;
safe_path.write(content)?;
Ok(safe_path)
}
Err(e) => {
// Malicious path detected!
eprintln!("🚨 SECURITY ALERT: Malicious archive entry detected!");
eprintln!(" Entry path: {}", entry_path);
eprintln!(" Error: {}", e);
eprintln!(" Action: Rejecting entire archive as compromised");
// Return error to stop extraction
Err(format!("Archive contains malicious path: {}", entry_path).into())
}
}
}
// Usage
let entries = vec![
("readme.txt", b"Safe content" as &[u8]),
("../../../etc/passwd", b"Malicious"), // Skipped with log
("docs/api.md", b"More safe content"),
];
let count = extract_all_resilient("extracted", entries)?;
println!("✅ Successfully extracted {} files", count);
}Key Security Features
1. Bounded Extraction Directory
#![allow(unused)]
fn main() {
let extraction_dir = PathBoundary::try_new_create(extract_to)?;
}All extracted files must stay within this directory.
2. Automatic Malicious Path Detection
#![allow(unused)]
fn main() {
let safe_path = self.extraction_dir.strict_join(entry_path)?;
}This line does all the heavy lifting:
- Normalizes
../sequences - Blocks absolute paths
- Prevents symlink escapes
- Returns an error for malicious paths
3. Parent Directory Creation
#![allow(unused)]
fn main() {
safe_path.create_parent_dir_all()?;
}Automatically creates any necessary parent directories within the boundary.
4. Type-Safe Returns
#![allow(unused)]
fn main() {
fn extract_entry(&self, entry_path: &str, content: &[u8]) -> Result<StrictPath, ...>
}Returning StrictPath ensures extracted paths are always validated.
Attack Scenarios Prevented
| Malicious Entry | StrictPath Result | VirtualPath Result |
|---|---|---|
../../../etc/passwd | ❌ Error: path escapes boundary | ✅ Clamped to vroot /etc/passwd |
..\\windows\\system32\\evil.exe | ❌ Error: path escapes boundary | ✅ Clamped to vroot /windows/system32/evil.exe |
/var/www/html/shell.php | ❌ Error: absolute path rejected | ✅ Clamped to vroot /var/www/html/shell.php |
legitimate/../../etc/passwd | ❌ Normalized and blocked | ✅ Normalized and clamped |
Symlink to /etc/passwd | ❌ Target validated, error if outside | ✅ Target clamped to vroot /etc/passwd |
Note: For archive extraction, consider using VirtualPath instead of StrictPath to gracefully clamp malicious entries rather than rejecting them. This provides defense-in-depth: even hostile archives with absolute paths or symlinks are safely contained within the extraction directory.
Real ZIP Integration
With the zip crate:
use strict_path::{PathBoundary, StrictPath};
use zip::ZipArchive;
use std::fs::File;
use std::io::Read;
struct RealArchiveExtractor {
extraction_dir: PathBoundary,
}
impl RealArchiveExtractor {
fn new(extract_to: &str) -> Result<Self, Box<dyn std::error::Error>> {
let extraction_dir = PathBoundary::try_new_create(extract_to)?;
Ok(Self { extraction_dir })
}
fn extract_zip(&self, zip_path: &str) -> Result<Vec<StrictPath>, Box<dyn std::error::Error>> {
let file = File::open(zip_path)?;
let mut archive = ZipArchive::new(file)?;
let mut extracted_files = Vec::new();
for i in 0..archive.len() {
let mut file = archive.by_index(i)?;
let entry_path = file.name();
// Validate the entry path - blocks zip-slip automatically
let safe_path = match self.extraction_dir.strict_join(entry_path) {
Ok(path) => path,
Err(e) => {
println!("⚠️ Skipping malicious entry '{}': {}", entry_path, e);
continue;
}
};
if file.is_dir() {
safe_path.create_dir_all()?;
} else {
safe_path.create_parent_dir_all()?;
let mut content = Vec::new();
file.read_to_end(&mut content)?;
safe_path.write(&content)?;
extracted_files.push(safe_path);
println!("📦 Extracted: {}", entry_path);
}
}
Ok(extracted_files)
}
}
fn main() -> Result<(), Box<dyn std::error::Error>> {
let extractor = RealArchiveExtractor::new("extracted")?;
// Extract a real ZIP file safely
let files = extractor.extract_zip("archive.zip")?;
println!("✅ Extracted {} files", files.len());
Ok(())
}TAR Archives
With the tar crate:
#![allow(unused)]
fn main() {
use strict_path::{PathBoundary, StrictPath};
use tar::Archive;
use std::fs::File;
fn extract_tar(tar_path: &str, extract_to: &str) -> Result<Vec<StrictPath>, Box<dyn std::error::Error>> {
let boundary = PathBoundary::try_new_create(extract_to)?;
let mut extracted = Vec::new();
let file = File::open(tar_path)?;
let mut archive = Archive::new(file);
for entry in archive.entries()? {
let mut entry = entry?;
let entry_path = entry.path()?;
let entry_path_str = entry_path.to_string_lossy();
// Validate each entry path
let safe_path = match boundary.strict_join(&*entry_path_str) {
Ok(path) => path,
Err(e) => {
println!("⚠️ Skipping malicious entry '{}': {}", entry_path_str, e);
continue;
}
};
// Extract using the validated path
entry.unpack(safe_path.interop_path())?;
extracted.push(safe_path);
println!("📦 Extracted: {}", entry_path_str);
}
Ok(extracted)
}
}Advanced: Extraction with Filters
Skip certain files or enforce naming patterns:
#![allow(unused)]
fn main() {
impl SafeArchiveExtractor {
fn extract_with_filter<F>(
&self,
entries: Vec<(&str, &[u8])>,
filter: F,
) -> Result<Vec<StrictPath>, Box<dyn std::error::Error>>
where
F: Fn(&str) -> bool,
{
let mut extracted = Vec::new();
for (entry_path, content) in entries {
// Apply custom filter
if !filter(entry_path) {
println!("⏭️ Skipped by filter: {}", entry_path);
continue;
}
// Validate and extract
match self.extract_entry(entry_path, content) {
Ok(path) => extracted.push(path),
Err(e) => println!("⚠️ Failed to extract '{}': {}", entry_path, e),
}
}
Ok(extracted)
}
}
// Usage:
let extracted = extractor.extract_with_filter(entries, |path| {
// Only allow certain file types
path.ends_with(".txt") || path.ends_with(".md") || path.ends_with(".rs")
})?;
}Temporary Extraction
Extract to a temporary directory for processing:
#![allow(unused)]
fn main() {
use strict_path::PathBoundary;
use tempfile::TempDir;
fn extract_to_temp(archive_path: &str) -> Result<(TempDir, Vec<StrictPath>), Box<dyn std::error::Error>> {
// Create temp directory
let temp = TempDir::new()?;
// Create boundary from temp path
let boundary = PathBoundary::try_new(temp.path())?;
// Extract archive
let extracted = extract_archive_to_boundary(&boundary, archive_path)?;
// Return both TempDir (to keep it alive) and extracted paths
Ok((temp, extracted))
}
// Temp directory is automatically cleaned up when TempDir is dropped
}Testing Advice
Test your extraction code with a malicious archive corpus:
Test Cases to Include
- Directory traversal:
"../","..\\","legitimate/../../etc/passwd" - Absolute paths:
"/var/www/evil","C:\\windows\\system32\\evil.exe" - Windows-specific:
- UNC paths:
"\\\\?\\C:\\windows\\evil" - Drive-relative:
"C:..\\foo" - ADS streams:
"decoy.txt:..\\..\\evil.exe" - Reserved names:
"CON","PRN","AUX"
- UNC paths:
- Unicode tricks: Dot lookalikes, NFC vs NFD forms
- Long paths: Paths exceeding system limits
Assertions
#![allow(unused)]
fn main() {
#[test]
fn test_archive_extraction_safety() {
let boundary = PathBoundary::try_new_create("./test_extract").unwrap();
// Should succeed
assert!(boundary.strict_join("safe/path.txt").is_ok());
// Should fail
assert!(boundary.strict_join("../../../etc/passwd").is_err());
assert!(boundary.strict_join("/absolute/path").is_err());
// Cleanup
std::fs::remove_dir_all("test_extract").ok();
}
}Behavior Notes
- Virtual joins clamp traversal lexically to the virtual root
- System-facing escapes (via symlinks/junctions) are rejected during resolution
- Unicode is not normalized - NFC and NFD forms are stored as-is, both safely contained
- Hard links and privileged mount tricks are outside path-level protections (see README limitations)
Using VirtualPath for Extra Safety
For even safer archive extraction, consider using VirtualPath instead of StrictPath. This clamps malicious entries instead of rejecting them:
#![allow(unused)]
fn main() {
use strict_path::{VirtualRoot, VirtualPath};
struct VirtualArchiveExtractor {
extraction_vroot: VirtualRoot,
}
impl VirtualArchiveExtractor {
fn new(extract_to: &str) -> Result<Self, Box<dyn std::error::Error>> {
let extraction_vroot = VirtualRoot::try_new_create(extract_to)?;
Ok(Self { extraction_vroot })
}
fn extract_entry(&self, entry_path: &str, content: &[u8])
-> Result<VirtualPath, Box<dyn std::error::Error>>
{
// Malicious paths are CLAMPED instead of rejected
// "../../../etc/passwd" becomes safe "vroot/etc/passwd"
// Absolute symlink targets are also clamped to vroot
let safe_path = self.extraction_vroot.virtual_join(entry_path)?;
safe_path.create_parent_dir_all()?;
safe_path.write(content)?;
println!("📦 Extracted: {} -> {}",
entry_path,
safe_path.virtualpath_display());
Ok(safe_path)
}
}
}Why VirtualPath for archives?
- ✅ Hostile entries with
../../../are clamped, not rejected - ✅ Absolute symlink targets (e.g.,
link -> /etc/passwd) are clamped to vroot - ✅ Archive extraction continues even with malicious entries
- ✅ Defense-in-depth: every entry is safely contained
- ✅ Perfect for untrusted archives from the internet
When to use each:
StrictPath: Fail-fast validation — reject malicious archives immediatelyVirtualPath: Graceful containment — clamp every entry to stay safe, continue extraction
Best Practices
- Always validate - Never trust archive entry paths
- Log suspicious entries - Track and alert on blocked paths
- Limit extraction size - Check total extracted size to prevent zip bombs
- Filter file types - Only extract expected file types
- Use temporary storage - Extract to temp directory first, then move to final location
- Consider VirtualPath - Use for untrusted archives to clamp rather than reject malicious entries
Integration Tips
With Web Uploads
#![allow(unused)]
fn main() {
async fn handle_upload(file: UploadedFile) -> Result<Vec<String>, AppError> {
// Save uploaded file
let temp_zip = save_upload(file).await?;
// Extract safely
let extractor = SafeArchiveExtractor::new("uploads/extracted")?;
let files = extractor.extract_zip(&temp_zip)?;
// Return list of extracted files
Ok(files.iter()
.map(|p| p.strictpath_display().to_string())
.collect())
}
}With Background Jobs
#![allow(unused)]
fn main() {
async fn extract_job(job_id: String, archive_path: String) -> Result<(), JobError> {
let extract_dir = format!("jobs/{}/extracted", job_id);
let extractor = SafeArchiveExtractor::new(&extract_dir)?;
let files = extractor.extract_zip(&archive_path)?;
// Store results in database
for file in files {
db_store_file(&job_id, file.strictpath_display())?;
}
Ok(())
}
}Next Steps
- See CLI Tool for handling user-provided file paths
- See Web Upload Service for combining uploads with safe storage