A path traversal vulnerability in Coder’s code-marketplace software, versions up to 2.4.1, lets attackers write arbitrary files to the server filesystem. Dubbed Zip Slip (CWE-22), it exploits unsafe handling of VSIX extension files during extraction. Any authenticated user with upload permissions can trigger it by submitting a crafted zip archive, potentially compromising the host environment where the marketplace runs.
This flaw stems from the ExtractZip function passing raw, attacker-controlled zip entry names directly to a callback without sanitization. The callback, in AddExtension, builds output paths using filepath.Join(dir, name), where name comes straight from the zip. Go’s filepath.Join and filepath.Clean resolve .. components but fail to enforce directory boundaries. For example:
filepath.Join("/srv/ext/pub/1.0", "../../../../../etc/cron.d/evil") // resolves to "/etc/cron.d/evil"
An attacker crafts a VSIX with entries like extensions/evil/../../../etc/cron.d/backdoor. When extracted, files land at absolute paths writable by the marketplace process—often root-owned directories in containerized or self-hosted setups. Coder’s platform targets enterprise remote development, so the marketplace typically runs in production-like environments with access to shared storage or system paths.
Attack Implications
Exploitation requires only upload access, common for admins or contributors in Coder’s self-hosted Code Server instances. Successful attacks enable persistence via cron jobs, SSH authorized_keys injection, or ld.so.preload hijacks. If the process runs as root—a misconfiguration risk in Docker or Kubernetes deployments—attackers overwrite binaries or drop rootkits.
Why this matters: Coder powers remote VS Code workspaces for teams at companies like IBM and Siemens. A compromised marketplace poisons the extension ecosystem, spreading malware to developer environments. In multi-tenant setups, one bad extension affects all users. Zip Slip isn’t new—Google disclosed it in 2018 across 1700+ projects—but it persists because zip handling libraries like Go’s archive/zip demand explicit safeguards. Coder’s v2.4.1 missed this, exposing users who hadn’t locked down permissions.
Real-world context: Similar flaws hit JetBrains’ TeamCity in 2023, leading to supply-chain attacks. Coder’s marketplace processes public uploads, amplifying supply-chain risks. Attackers could masquerade as benign extensions, exploiting VS Code’s .vsix format—a renamed zip. Detection is hard; logs show normal extractions unless you audit paths.
Fix and Broader Lessons
Coder patched it in v2.4.2 (September 2024), adding path prefix checks before writing: if !strings.HasPrefix(cleanPath, dir) { return err }. They credit Kandlaguduru Vamsi for responsible disclosure under their policy. Users should upgrade immediately—run docker pull ghcr.io/coder/code-marketplace:v2.4.2 or equivalent Helm updates.
$ docker pull ghcr.io/coder/code-marketplace:v2.4.2
$ kubectl rollout restart deployment code-marketplace
Skeptically, the fix is straightforward, but the root cause reveals sloppy zip handling in a security-critical component. Coder’s open-source nature invited scrutiny, and they responded fast—kudos. Still, audit your instance: disable public uploads, run as non-root (e.g., securityContext.runAsUser: 1000 in YAML), and scan VSIXes with tools like zip-slip-scanner.
Bottom line: This underscores zip extraction pitfalls in untrusted inputs. Devs building marketplaces or extension systems must validate paths prefix-match the target dir, not rely on cleaners. For Coder users, it reinforces isolating marketplace from core infra. Check your version; if below 2.4.2, you’re exposed.
