Zip Slip in Chi with Api Keys
Zip Slip in Chi with Api Keys — how this specific combination creates or exposes the vulnerability
Zip Slip is a path traversal vulnerability that occurs when an archive entry is extracted without proper validation, allowing directory traversal sequences (e.g., ../) to escape the intended extraction directory. When Api Keys are handled insecurely in a Chi-based Go service, the combination of unsafe archive extraction and key management can expose sensitive credentials. For example, if an API endpoint accepts a ZIP file containing configuration or key material and extracts it using zip.File.Open() without sanitizing file paths, an attacker can include crafted entries like ../../../etc/api-keys.json to overwrite arbitrary files or inject malicious content into key storage locations.
In Chi, a common pattern is to load Api Keys from files or environment variables at startup. If a developer builds a handler that uploads and extracts a ZIP to load keys dynamically (e.g., for hot-reloading), and does not validate file paths, the handler may inadvertently write extracted files outside the target directory. This can lead to overwriting legitimate key files, placing keys in world-readable locations, or executing code if the keys are later loaded and used in an unsafe manner. The vulnerability is not in Chi itself but in how the handler processes user-supplied archives and manages key material. An attacker who can influence extraction paths may gain access to Api Keys by forcing writes to known locations or reading files via path traversal during extraction.
Consider an endpoint that receives a ZIP and extracts it into a keys directory:
import (
"archive/zip"
"io"
"net/http"
"os"
"path/filepath"
)
func extractKeysHandler(w http.ResponseWriter, r *http.Request) {
// Anti-pattern: unsafe extraction in Chi
zipFile, _, err := r.FormFile("archive")
if err != nil {
http.Error(w, "invalid archive", http.StatusBadRequest)
return
}
defer zipFile.Close()
reader, err := zip.NewReader(zipFile, zipFile.Size) // simplified; real code needs io.ReaderAt
if err != nil {
http.Error(w, "invalid zip", http.StatusBadRequest)
return
}
for _, f := range reader.File {
// Missing path sanitization — Zip Slip risk
dest := filepath.Join("/opt/service/keys", f.Name)
if !isSafePath(dest) {
http.Error(w, "invalid file path", http.StatusBadRequest)
continue
}
if f.FileInfo().IsDir() {
os.MkdirAll(dest, os.ModePerm)
continue
}
src, err := f.Open()
if err != nil {
http.Error(w, "cannot open file", http.StatusInternalServerError)
continue
}
defer src.Close()
dst, err := os.OpenFile(dest, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
if err != nil {
http.Error(w, "cannot create file", http.StatusInternalServerError)
continue
}
io.Copy(dst, src)
dst.Close()
}
w.WriteHeader(http.StatusOK)
}
func isSafePath(p string) bool {
// Weak validation: only blocks leading slash, not traversal
return !(len(p) > 0 && p[0] == '/' || p == "..")
}
The isSafePath function is insufficient; it does not clean .. path segments or resolve symlinks, enabling Zip Slip. If the extracted keys file contains Api Keys, an attacker who can control the archive can overwrite or inject key files, leading to credential exposure or privilege escalation. In Chi services that rely on file-based key stores, this can compromise authentication and authorization across the application.
Api Keys-Specific Remediation in Chi — concrete code fixes
Remediation centers on strict path validation and avoiding dynamic key loading from untrusted archives. Do not extract user-provided ZIP files into key directories. If you must support key rotation, use signed configuration bundles and validate contents before applying. Below are concrete, safe patterns for handling Api Keys in Chi services.
- Never extract user-uploaded archives to key paths. Instead, parse keys from environment variables or a secure vault at startup.
- If you must process archives, extract to a temporary directory, validate each entry with
filepath.Cleanand ensure the cleaned path remains within the target directory (a canonical path check), and avoid writing files that contain sensitive material. - Use Chi routes to serve keys only via authenticated, authorized endpoints, and never expose raw key files via HTTP.
Safe key loading without user-supplied archives:
import (
"os"
)
func loadApiKeys() (map[string]string, error) {
keys := make(map[string]string)
// Load from environment or secure source; avoid file extraction
apiKey := os.Getenv("API_KEY")
if apiKey == "" {
return nil, os.ErrNotExist
}
keys["service"] = apiKey
return keys, nil
}
func keysHandler(keys map[string]string) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
// Chi route example: serve keys only to authenticated callers
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{"keys_available": true}`)) // Do not expose keys
}
}
Safe archive processing (if you must accept archives):
import (
"archive/zip"
"io"
"os"
"path/filepath"
"strings"
)
func safeExtractBaseDir(targetDir string, reader *zip.Reader) error {
for _, f := range reader.File {
// Clean and ensure no ".." escapes targetDir
cleanName := filepath.Clean("/" + f.Name)
if cleanName == "/.." || strings.HasPrefix(cleanName, "/../") {
return os.ErrInvalid
}
dest := filepath.Join(targetDir, cleanName)
if dest == targetDir {
continue
}
if !strings.HasPrefix(dest, filepath.Clean(targetDir)+string(os.PathSeparator)) && dest != filepath.Clean(targetDir) {
return os.ErrPermission
}
if f.FileInfo().IsDir() {
os.MkdirAll(dest, f.Mode())
continue
}
src, err := f.Open()
if err != nil {
return err
}
defer src.Close()
dst, err := os.OpenFile(dest, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
if err != nil {
return err
}
defer dst.Close()
if _, err := io.Copy(dst, src); err != nil {
return err
}
}
return nil
}
By avoiding the combination of dynamic key loading and unsafe extraction, you mitigate Zip Slip risks specific to Api Keys. Use the middleBrick CLI (middlebrick scan <url>) to validate your endpoints for path traversal and exposure of key-related endpoints as part of your security checks.