# Zip Slip / Archive Path Traversal

- ID: python-zip-slip
- Severity: HIGH
- CWE: Path Traversal (CWE-22)
- Languages: Python

## Description

Detects unsafe extraction of ZIP/TAR archives without path validation.
Malicious archives can contain filenames with "../" to write files outside
the intended directory (path traversal). Always validate extracted paths.

## Remediation

Validate that extracted paths stay within the target directory before writing.

```python
import zipfile
import os

def safe_extract(zip_path, extract_to):
    with zipfile.ZipFile(zip_path, 'r') as zf:
        for member in zf.namelist():
            target = os.path.normpath(os.path.join(extract_to, member))
            if not target.startswith(os.path.abspath(extract_to)):
                raise ValueError(f"Path traversal: {member}")
            zf.extract(member, extract_to)
```

Learn more: https://shoulder.dev/learn/python/cwe-22/zip-slip

## Documentation

[object Object]

## Related Rules

- **Path Traversal via File Operations** [HIGH]: 
- **Zip Slip / Path Traversal in Archive** [HIGH]: 
- **Path Traversal in File Operations** [CRITICAL]: 
- **Zip Slip Path Traversal** [HIGH]: 
- **Path Traversal / Directory Traversal** [HIGH]: