HIGH zip slipexpressbasic auth

Zip Slip in Express with Basic Auth

Scan for zip slip in express

Zip Slip in Express with Basic Auth — how this specific combination creates or exposes the vulnerability

Zip Slip is a path traversal vulnerability where an attacker-controlled archive (e.g., a ZIP file) is extracted without proper sanitization, allowing files to be written outside the intended extraction directory. In an Express API that accepts file uploads and uses Basic Auth for access control, the combination of user-supplied archives and per-request authentication can amplify risk in a few specific ways.

First, Basic Auth in Express is typically implemented by reading the Authorization header, decoding the base64-encoded username:password pair, and validating credentials per request. If the validation logic is applied only at the route level without ensuring strict input handling for uploaded files, an authenticated context can give an attacker a foothold to probe or exploit file extraction behavior. For example, an authenticated client might repeatedly send crafted archives containing malicious paths such as ../../../etc/passwd or executable scripts that overwrite critical files during extraction.

Second, because middleBrick scans the unauthenticated attack surface and also tests authentication and authorization checks (BOLA/IDOR and Authentication), it can detect whether path traversal is possible in endpoints that rely on Basic Auth without additional validation. An API that accepts a file payload and a target extraction path, and then uses user-controlled data to build filesystem paths, may expose directory traversal even when Basic Auth is present. This is because authentication verifies identity but does not sanitize or restrict what an authenticated user can request the server to extract.

Third, the interplay with middleware matters. If Express routes parse the Authorization header and then pass the request to an upload handler that uses libraries like adm-zip or yauzl without validating entry.name, an attacker can send a ZIP with absolute or relative paths that escape the destination folder. middleBrick’s checks for Input Validation and Property Authorization are designed to surface these classes of issues by correlating spec definitions with runtime behavior, highlighting missing constraints on path parameters and uploaded archive contents.

Concrete attack patterns in this scenario include an authenticated user uploading a ZIP containing entries like ../../../../../windows/system32/config/sam on Windows or ../../../../etc/shadow on Unix-like systems. If the server extracts entries using naive concatenation (e.g., const dest = path.join(uploadDir, entry.name) without normalization and containment checks), the resulting extracted file can overwrite system or application files, leading to information disclosure or code execution depending on the file type and server privileges.

To summarize, the risk in Express with Basic Auth arises when authentication is treated as the sole security boundary while file extraction logic fails to validate and sanitize paths inside user-provided archives. middleBrick’s parallel checks for Authentication, Input Validation, and Property Authorization help identify whether path traversal exists in endpoints that require credentials, providing findings with severity and remediation guidance rather than attempting to fix the extraction logic itself.

Basic Auth-Specific Remediation in Express — concrete code fixes

Securing Express endpoints that use Basic Auth and file extraction requires strict validation of paths and separation of authentication from file handling logic. Below are concrete, working code examples demonstrating safer approaches.

Example 1: Basic Auth middleware with proper path sanitization

Use a dedicated middleware to validate credentials, and ensure any file path derived from user input is resolved within a strict base directory using path.resolve and containment checks.

import express from 'express';
import { createHash } from 'crypto';
import path from 'path';

const app = express();
app.use(express.json());
app.use(express.raw({ type: 'application/zip' }));

const users = new Map([
  ['alice', createHash('sha256').update('s3cret').digest('hex')]
]);

function basicAuth(req, res, next) {
  const header = req.headers.authorization;
  if (!header || !header.startsWith('Basic ')) {
    return res.status(401).send('Unauthorized');
  }
  const token = header.slice(6);
  const decoded = Buffer.from(token, 'base64').toString('utf8');
  const [user, pass] = decoded.split(':');
  const expected = users.get(user);
  if (!expected || expected !== createHash('sha256').update(pass).digest('hex')) {
    return res.status(401).send('Unauthorized');
  }
  next();
}

app.post('/upload', basicAuth, (req, res) => {
  const zipBuffer = req.body;
  const safeBase = path.resolve('./uploads');
  try {
    const zip = new AdmZip(zipBuffer);
    const entries = zip.getEntries();
    for (const entry of entries) {
      const normalized = path.normalize(entry.entryName).replace(/^(\/|\\)/, '');
      const target = path.resolve(safeBase, normalized);
      if (!target.startsWith(safeBase)) {
        return res.status(400).send('Invalid entry path');
      }
      // Ensure entry is a file and does not overwrite outside safeBase
      if (entry.entryName.endsWith('/')) {
        // handle directories if needed
        continue;
      }
      // write file to target
    }
    res.send('OK');
  } catch (err) {
    res.status(400).send('Failed to process archive');
  }
});

app.listen(3000, () => console.log('Server running on port 3000'));

Example 2: Using multer with strict filename validation

If you prefer streaming uploads, combine Basic Auth with multer and a filename sanitizer that rejects paths and enforces extensions.

import express from 'express';
import multer from 'multer';
import { createHash } from 'crypto';
import path from 'path';

const app = express();
const safeBase = path.resolve('./uploads');

const storage = multer.diskStorage({
  destination: (req, file, cb) => {
    cb(null, safeBase);
  },
  filename: (req, file, cb) => {
    const cleanName = file.originalName.replace(/[^a-zA-Z0-9_.-]/g, '_');
    cb(null, cleanName);
  }
});

const upload = multer({ storage, limits: { fileSize: 5 * 1024 * 1024 } });

function basicAuth(req, res, next) {
  const header = req.headers.authorization;
  if (!header || !header.startsWith('Basic ')) return res.status(401).send('Unauthorized');
  const token = Buffer.from(header.slice(6), 'base64').toString('utf8');
  const [user, pass] = token.split(':');
  if (user === 'alice' && pass === 's3cret') return next();
  res.status(401).send('Unauthorized');
}

app.post('/upload-basic', basicAuth, upload.single('archive'), (req, res) => {
  if (!req.file) return res.status(400).send('No file uploaded');
  res.send('File received safely');
});

app.listen(3000, () => console.log('Server running on port 3000'));

Key remediation practices

  • Always normalize and resolve paths with path.resolve and verify they remain within the intended base directory.
  • Do not trust entry names from archives; sanitize and validate before using them in filesystem operations.
  • Keep authentication separate from file processing logic; avoid coupling credential checks with extraction routines.
  • Limit file size and inspect content types to reduce impact of malicious uploads.

middleBrick’s scans can highlight missing validation around path parameters and weak authentication coupling, giving prioritized findings and remediation guidance without claiming to fix or block anything.

Scan for zip slip in express Free API security scan

Frequently Asked Questions

Does Basic Auth alone prevent Zip Slip if credentials are valid?
No. Basic Auth confirms identity per request but does not sanitize user-supplied archive contents or paths. Without path validation, an authenticated user can still craft archives that traverse outside the intended extraction directory.
Can middleBrick fix Zip Slip vulnerabilities in Express with Basic Auth?
No. middleBrick detects and reports the presence of path traversal and authorization weaknesses, providing findings with severity and remediation guidance. It does not fix, patch, or block the vulnerability itself.

Related Pages

Zip Slip in ExpressZip Slip vulnerabilities in Express allow attackers to overwrite files via malicious ZIP uploads. Learn detection and reZip Slip with Basic AuthHow Zip Slip vulnerabilities manifest in Basic Auth contexts, with detection techniques and remediation strategies for aZip Slip in Express on AwsUnderstand Zip Slip in Express on AWS with concrete attack scenarios and AWS-specific remediation examples.Zip Slip in Express on FirebaseExplore Zip Slip in Express with Firebase — understand the risk and apply concrete path validation and Firebase-specificZip Slip in Express on Fly IoUnderstand Zip Slip in Express on Fly Io, with concrete remediation code examples and Fly Io configuration guidance.Zip Slip in Express on DigitaloceanLearn how Zip Slip affects Express on Digitalocean and apply concrete path validation fixes in Node.js with code examplePci Dss: Zip Slip in ExpressExplore how Zip Slip impacts PCI-DSS in Express apps and apply concrete Express code fixes to prevent path traversal in Soc2: Zip Slip in ExpressExplore Zip Slip in Express APIs, understand SOC 2 implications, and apply concrete Express remediation with code examplIso 27001: Zip Slip in ExpressExplore Zip Slip in Express through ISO 27001 controls, with secure extraction code and remediation guidance.Cis: Zip Slip in ExpressCis in Zip Slip with Express: understand the path traversal risk and apply concrete Express-specific fixes with secure cZip Slip in Express with DynamodbExplore Zip Slip in Express with DynamoDB: understand the vulnerability chain and apply concrete code fixes using safe pZip Slip in Express with CockroachdbExplore Zip Slip in Express with Cockroachdb, understand path traversal risks, and apply concrete remediation with code