HIGH zip slipfastapibasic auth

Zip Slip in Fastapi with Basic Auth

Scan for zip slip in fastapi

Zip Slip in Fastapi with Basic Auth — how this specific combination creates or exposes the vulnerability

Zip Slip is a path traversal vulnerability that occurs when an application constructs file paths using unsanitized user input. In Fastapi, combining this vulnerability with Basic Authentication can expose subtle risks around file extraction and account enumeration, even when authentication is required.

When Basic Auth is used, credentials are sent in the Authorization header as a base64-encoded string. While this does not directly cause Zip Slip, it can influence how attacks are probed and observed. For example, an authenticated endpoint that extracts files from a user-supplied archive may trust the request identity but still fail to validate path segments. If the endpoint does not restrict traversal sequences like ../, an authenticated user can extract files outside the intended directory. In this scenario, authentication confirms identity but does not prevent malicious path manipulation, creating a scenario where access control is bypassed at the filesystem level.

Furthermore, error handling differences based on authentication state can leak information. An endpoint that returns detailed errors for authenticated users but generic responses for unauthenticated ones may expose whether a path traversal succeeded. This can aid an attacker in refining probes. Even though middleBrick tests unauthenticated attack surfaces, understanding how authentication layers interact with file handling logic is important for secure design. The presence of Basic Auth should not reduce scrutiny on input validation within archive extraction or file upload logic.

In API security scanning, this interaction is relevant to checks such as Input Validation and Property Authorization. A specification that defines a file-extract endpoint with security schemes using Basic Auth must still enforce strict path normalization and disallow traversal patterns. Runtime tests that upload or extract archives should validate that resolved paths remain within an allowed base directory. Without such controls, the combination of authenticated access and unchecked user input can lead to unauthorized file access or information disclosure.

Basic Auth-Specific Remediation in Fastapi — concrete code fixes

To remediate Zip Slip in Fastapi when using Basic Auth, ensure that user-controlled path components are strictly validated and that file operations are confined to a designated directory. Below are concrete code examples that demonstrate secure handling.

First, implement a secure path resolution utility that normalizes and confines paths:

import os
from pathlib import Path

def safe_path_join(base_dir: str, user_path: str) -> Path:
    # Normalize and resolve the user input against the base directory
    base = Path(base_dir).resolve()
    target = (base / user_path).resolve()
    # Ensure the resolved path remains inside the base directory
    try:
        target.relative_to(base)
    except ValueError:
        raise ValueError('Invalid path: traversal outside base directory')
    return target

Next, use this utility in an endpoint that handles archive extraction with HTTP Basic Authentication:

from fastapi import Fastapi, Depends, HTTPException, Security
from fastapi.security import HTTPBasic, HTTPBasicCredentials
import zipfile

app = Fastapi()
security = HTTPBasic()

def verify_credentials(credentials: HTTPBasicCredentials = Security(security)):
    # Replace with secure credential verification
    if credentials.username != 'admin' or credentials.password != 'secret':
        raise HTTPException(status_code=401, detail='Invalid credentials')
    return credentials

@app.post('/extract')
def extract_archive(
    file_path: str,
    credentials: HTTPBasicCredentials = Security(security)
):
    verify_credentials(credentials)
    base_directory = '/safe/extraction/directory'
    try:
        safe_path = safe_path_join(base_directory, file_path)
        with zipfile.ZipFile(safe_path, 'r') as zf:
            zf.extractall(path=safe_path.parent)
        return {'status': 'extracted'}
    except (ValueError, zipfile.BadZipFile, FileNotFoundError) as e:
        raise HTTPException(status_code=400, detail=str(e))

This approach ensures that user input is confined, and authentication is enforced before any file system interaction. For production use, consider additional measures such as limiting archive contents, avoiding absolute paths, and using non-privileged filesystem permissions.

Scan for zip slip in fastapi Free API security scan

Frequently Asked Questions

How does Basic Auth affect Zip Slip risk in Fastapi APIs?
Basic Auth identifies the requestor but does not prevent path traversal. If endpoint logic does not validate user-supplied paths, authenticated users can still extract files outside intended directories. Authentication changes error behavior and may influence attack probing, so input validation must remain strict regardless of auth method.
What specific remediation steps should be applied for Fastapi APIs using Basic Auth to prevent Zip Slip?
Use a path resolution function that normalizes input and enforces a base directory constraint, apply strict allowlists for permitted paths, validate archive contents before extraction, and ensure error handling does not leak filesystem details. Combine these checks with HTTP Basic Authentication to enforce credentials before file operations.

Related Pages

Zip Slip in FastapiLearn how Zip Slip directory traversal vulnerabilities affect Fastapi applications and how to detect and fix them with sZip Slip with Basic AuthHow Zip Slip vulnerabilities manifest in Basic Auth contexts, with detection techniques and remediation strategies for aZip Slip in Fastapi on CloudflareExplore Zip Slip in Fastapi behind Cloudflare, understand the risk, and apply concrete path validation fixes with code eZip Slip in Fastapi on AzureUnderstanding Zip Slip in Fastapi on Azure and secure extraction patterns with code examples and middleBrick scanning.Zip Slip in Fastapi on DockerExplore Zip Slip in Fastapi inside Docker: how path traversal arises and concrete fixes with secure extraction code and Zip Slip in Fastapi on Fly IoUnderstand Zip Slip in Fastapi on Fly Io, with secure extraction code examples and Fly Io-specific fixes.Pci Dss: Zip Slip in FastapiExplore PCI DSS risks in Zip Slip with Fastapi, understand the vulnerability, and apply concrete code fixes to prevent pSoc2: Zip Slip in FastapiExplore Zip Slip in FastAPI under SOC 2: understand the vulnerability, see secure extraction code, and learn remediationIso 27001: Zip Slip in FastapiExploring Zip Slip in FastAPI under ISO 27001: risk context and secure extraction code examples.Cis: Zip Slip in FastapiUnderstand Zip Slip in FastAPI, how CIS controls relate, and implement secure extraction with concrete code examples.Zip Slip in Fastapi with DynamodbUnderstand Zip Slip in Fastapi with DynamoDB, including how traversal occurs and secure path handling patterns with BotoZip Slip in Fastapi with CockroachdbExplore Zip Slip in Fastapi with Cockroachdb: understand the risk and apply concrete path validation fixes with code exa