A path traversal flaw in Coder’s code-marketplace up to version 2.4.1 lets attackers write files anywhere the service process can reach. Dubbed Zip Slip (CWE-22), it hits during VSIX extension extraction. An authenticated user with upload rights crafts a malicious zip, and boom—files drop outside the intended directory. Coder patched it in 2.4.2 after Kandlaguduru Vamsi reported it responsibly.
This matters because Coder powers self-hosted remote dev environments, competing with GitHub Codespaces. Their marketplace distributes VS Code extensions (VSIX files) to code-server instances. If your team runs Coder in production, a compromised extension could persist across restarts or pivot to the host OS. Attackers target marketplaces for supply chain hits—think SolarWinds but for dev tools.
Root Cause Breakdown
The bug lives in ExtractZip, which feeds raw, attacker-controlled zip entry names (zf.Name) straight to a callback function. No sanitization. The AddExtension handler then builds output paths with filepath.Join(dir, name) or filepath.Join(dir, file.RelativePath). Go’s filepath.Join and Clean handle .. lexically but don’t enforce directory boundaries.
return false, fn(zf.Name, zr) // zf.Name not sanitized
path := filepath.Join(dir, name) // zip loop
path := filepath.Join(dir, file.RelativePath) // extra files loop
filepath.Join("/srv/ext/pub/1.0", "../../../../etc/cron.d/evil") → "/etc/cron.d/evil"
Real-world example: A zip entry named extensions/../../../../etc/cron.d/backdoor resolves to /etc/cron.d/backdoor. Go resolves .. during cleaning, but if the marketplace process owns /srv/ext with write perms up the chain, it succeeds. Zip Slip dates to 2018; it’s low-hanging fruit that still trips up zip handlers.
Attack Paths and Real Risks
Any user with upload permissions—not just admins—triggers this. Upload a booby-trapped VSIX via the marketplace UI or API. Extraction writes payloads to host paths writable by the process. Assume typical Coder deploys on Kubernetes or Docker with a non-root marketplace pod (Coder recommends least-priv setups, but misconfigs abound).
Exploits include:
- Cron jobs: Drop
/etc/cron.d/evilfor persistent shell access. - SSH keys: Overwrite
~/.ssh/authorized_keysif homedirs are accessible. - LD_PRELOAD: Inject
/etc/ld.so.preloadfor library hijacking on next binary load. - Binaries: Patch services like SSHD if perms allow.
Why severe? Marketplaces amplify reach—one bad extension infects all users pulling it. Coder’s 10k+ GitHub stars and enterprise users (e.g., via Helm charts) mean wide exposure. No public exploits yet, but PoCs for Zip Slip are everywhere on GitHub. CVSS? Likely 7.5+ (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) given file writes.
Skeptical take: Coder fixed it fast—v2.4.2 sanitizes paths properly, likely with prefix checks or filepath.Walk-style validation. They credit the finder per their policy. Solid response, but why no bounds check in 2.4.1? Basic input validation missed in a core feature. Audit your instance: docker pull ghcr.io/coder/code-marketplace:v2.4.2 or update Helm values.
Broader lesson: VSIX=zip, and zips are untrusted by default. Node’s adm-zip, Java’s ZipInputStream—all had Zip Slip variants. Dev toolchains lag on security; extension markets need sigs, reviews, and runtime sandboxes. If you’re on Coder, isolate marketplace to low-priv containers, scan uploads with Trivy or Clair, and monitor file writes via auditd or Falco.
Upgrade now. Track v2.4.2 release notes. Coder’s transparency helps, but don’t sleep on self-hosted risks.
