Zip Slip in Axum with Dynamodb

Zip Slip is a path traversal vulnerability where an attacker-supplied archive extracts files outside the intended directory by using path segments like ../. In an Axum service that interacts with DynamoDB, the risk is not that DynamoDB executes or stores malicious paths directly, but that application logic using the AWS SDK for Rust can construct unsafe local file paths from data stored or queried in DynamoDB and then pass those paths to filesystem operations. For example, an item in DynamoDB might contain a user-supplied filename or a key that the Rust code uses to build a local extraction or read path. If the application does not sanitize or validate this input, an archive uploaded or referenced by the service can traverse directories when extracted on the host running the Axum server, leading to unauthorized file reads or writes. The vulnerability is introduced at the application layer, not in DynamoDB itself, but DynamoDB becomes a vector because it stores or indexes the filenames or object keys that the Axum service later uses in local filesystem operations without proper validation.

Consider an Axum handler that retrieves an object key from a DynamoDB table and streams a file to disk during extraction. If the object key contains ../ and the code uses it directly with std::fs::copy or a tar extraction library without path normalization and prefix checks, the file can escape the target directory. This is especially dangerous when combined with features like temporary file staging or bulk import endpoints, where the Axum service trusts metadata stored in DynamoDB. Attackers may not need to compromise the database itself; they can exploit insecure design patterns where DynamoDB acts as a data source for unsafe path construction in the Axum runtime.

An API security scan using middleBrick can detect such issues by analyzing the unauthenticated attack surface of the Axum endpoints and correlating findings with insecure patterns in data handling. While DynamoDB does not introduce the vulnerability, the service’s interaction with it can expose path traversal risks when input validation and output encoding are missing. The scan checks for missing input validation controls and insecure consumption patterns that could allow path traversal when integrating with external data stores like DynamoDB.

To prevent Zip Slip in an Axum application that uses DynamoDB, validate and sanitize any path derived from DynamoDB records before using it in filesystem operations. Use Rust’s path manipulation utilities to ensure constructed paths remain within the intended base directory. Below are concrete examples for safe handling.

Example 1: Safe path joining with validation

When retrieving a key from DynamoDB, normalize it and ensure it resolves inside a permitted directory.

use axum::response::IntoResponse;
use std::path::{Path, PathBuf};
use aws_sdk_dynamodb::Client;

async fn handle_export(
    client: &Client,
    table_name: &str,
    key: &str, // key potentially from DynamoDB
    output_dir: &Path,
) -> Result {
    // Normalize and validate the key to prevent path traversal
    let requested_path = sanitize_path(key)?;
    let destination = output_dir.join(requested_path);

    // Ensure the resolved path is still within output_dir
    if !destination.starts_with(output_dir) {
        return Err((axum::http::StatusCode::BAD_REQUEST, "Invalid path".to_string()));
    }

    // Proceed with DynamoDB read and file operations using destination
    // e.g., download object from S3 or read from local cache identified by key
    Ok(("File processed",))
}

fn sanitize_path(input: &str) -> Result {
    let path = Path::new(input);
    let mut components = path.components().peekable();
    let mut normalized = PathBuf::new();

    for component in components {
        match component {
            std::path::Component::Normal(part) => {
                normalized.push(part);
            }
            std::path::Component::ParentDir => {
                if !normalized.pop() {
                    return Err((axum::http::StatusCode::BAD_REQUEST, "Path traversal detected".to_string()));
                }
            }
            std::path::Component::RootDir => {
                normalized.push(component);
            }
            _ => {
                // Ignore other components like CurDir or Prefix on Unix
                if component != std::path::Component::CurDir {
                    return Err((axum::http::StatusCode::BAD_REQUEST, "Invalid path component".to_string()));
                }
            }
        }
    }
    Ok(normalized)
}

Example 2: Using a strict prefix and avoiding user-controlled directories

Always resolve against a fixed base directory and avoid creating subdirectories directly from DynamoDB metadata.

use std::fs;
use aws_sdk_dynamodb::types::SdkError;

async fn safe_extract_from_dynamodb_record(
    record: &aws_sdk_dynamodb::types::Item,
    base_dir: &str,
) -> Result<(), SdkError> {
    if let Some(filename) = record.get("filename") {
        let filename_str = filename.as_s().unwrap_or_default();
        let safe_filename = sanitize_path(filename_str)?;
        let target = format!("{}/{}", base_dir, safe_filename);

        // Ensure target is within base_dir
        let resolved = std::fs::canonicalize(&target).unwrap_or_else(|_| target.into());
        let base = std::fs::canonicalize(base_dir).unwrap_or_else(|_| base_dir.into());
        if !resolved.starts_with(&base) {
            return Err(SdkError::ConstructionFailure("Path escape prevented".into()));
        }

        // Perform safe filesystem actions, e.g., write/download content
        fs::write(resolved, "safe content")?;
    }
    Ok(())
}

Additional measures include avoiding the use of user-controlled directory structures in the filesystem, applying allowlists for file extensions, and scanning API payloads with middleBrick to detect insecure consumption patterns and input validation gaps before deployment.