DTF vulnerable to "Zip Slip"

[firegiantco]

Please provide answers to the following questions to help us narrow down, reproduce, and fix the problem. Fill out one section and delete the others.

• Which version of WiX are you building with?

WiX v3.11.1

• Which version of Visual Studio are you building with (if any)?

N/A

• Which version of the WiX Toolset Visual Studio Extension are you building with (if any)?

N/A

• Which version of .NET are you building with?

Any

• If the problem occurs when installing your packages built with WiX, what is the version of Windows the package is running on?

N/A

• Describe the problem and the steps to reproduce it.

A maliciously crafted cabinet or zip file can be created with traversal paths in the archived file names. For example, ..\..\hackedu.dll. DTF's ArchiveFileStreamContext will concatenate the archived file path with a provided base directory, such that the traversal path can place the file outside the provided base directory and possibly overwriting the user's files. This is known as Zip Slip.

• Describe the behavior you expected and how it differed from the actual behavior.

DTF should not write files outside the extraction folder.

This issue was originally reported by Devin Casadey.

[firegiantco]

WIP