diff --git a/src/SharpCompress/Common/ExtractionMethods.cs b/src/SharpCompress/Common/ExtractionMethods.cs
index f81f82d4c..485fdf4d3 100644
--- a/src/SharpCompress/Common/ExtractionMethods.cs
+++ b/src/SharpCompress/Common/ExtractionMethods.cs
@@ -1,5 +1,6 @@
using System;
using System.IO;
+using System.Runtime.InteropServices;
using System.Threading;
using System.Threading.Tasks;
@@ -7,6 +8,15 @@ namespace SharpCompress.Common;
internal static class ExtractionMethods
{
+ ///
+ /// Gets the appropriate StringComparison for path checks based on the file system.
+ /// Windows uses case-insensitive file systems, while Unix-like systems use case-sensitive file systems.
+ ///
+ private static StringComparison PathComparison =>
+ RuntimeInformation.IsOSPlatform(OSPlatform.Windows)
+ ? StringComparison.OrdinalIgnoreCase
+ : StringComparison.Ordinal;
+
///
/// Extract to specific directory, retaining filename
///
@@ -48,7 +58,7 @@ public static void WriteEntryToDirectory(
if (!Directory.Exists(destdir))
{
- if (!destdir.StartsWith(fullDestinationDirectoryPath, StringComparison.Ordinal))
+ if (!destdir.StartsWith(fullDestinationDirectoryPath, PathComparison))
{
throw new ExtractionException(
"Entry is trying to create a directory outside of the destination directory."
@@ -68,12 +78,7 @@ public static void WriteEntryToDirectory(
{
destinationFileName = Path.GetFullPath(destinationFileName);
- if (
- !destinationFileName.StartsWith(
- fullDestinationDirectoryPath,
- StringComparison.Ordinal
- )
- )
+ if (!destinationFileName.StartsWith(fullDestinationDirectoryPath, PathComparison))
{
throw new ExtractionException(
"Entry is trying to write a file outside of the destination directory."
@@ -158,7 +163,7 @@ public static async Task WriteEntryToDirectoryAsync(
if (!Directory.Exists(destdir))
{
- if (!destdir.StartsWith(fullDestinationDirectoryPath, StringComparison.Ordinal))
+ if (!destdir.StartsWith(fullDestinationDirectoryPath, PathComparison))
{
throw new ExtractionException(
"Entry is trying to create a directory outside of the destination directory."
@@ -178,12 +183,7 @@ public static async Task WriteEntryToDirectoryAsync(
{
destinationFileName = Path.GetFullPath(destinationFileName);
- if (
- !destinationFileName.StartsWith(
- fullDestinationDirectoryPath,
- StringComparison.Ordinal
- )
- )
+ if (!destinationFileName.StartsWith(fullDestinationDirectoryPath, PathComparison))
{
throw new ExtractionException(
"Entry is trying to write a file outside of the destination directory."
diff --git a/src/SharpCompress/packages.lock.json b/src/SharpCompress/packages.lock.json
index b85a38f73..904860ce8 100644
--- a/src/SharpCompress/packages.lock.json
+++ b/src/SharpCompress/packages.lock.json
@@ -335,9 +335,9 @@
"net8.0": {
"Microsoft.NET.ILLink.Tasks": {
"type": "Direct",
- "requested": "[8.0.20, )",
- "resolved": "8.0.20",
- "contentHash": "Rhcto2AjGvTO62+/VTmBpumBOmqIGp7nYEbTbmEXkCq4yPGxV8whju3/HsIA/bKyo2+DggaYk5+/8sxb1AbPTw=="
+ "requested": "[8.0.0, )",
+ "resolved": "8.0.0",
+ "contentHash": "B3etT5XQ2nlWkZGO2m/ytDYrOmSsQG1XNBaM6ZYlX5Ch/tDrMFadr0/mK6gjZwaQc55g+5+WZMw4Cz3m8VEF7g=="
},
"Microsoft.SourceLink.GitHub": {
"type": "Direct",
diff --git a/tests/SharpCompress.Test/ExtractionTests.cs b/tests/SharpCompress.Test/ExtractionTests.cs
new file mode 100644
index 000000000..04b5b08f6
--- /dev/null
+++ b/tests/SharpCompress.Test/ExtractionTests.cs
@@ -0,0 +1,99 @@
+using System;
+using System.IO;
+using SharpCompress.Common;
+using SharpCompress.Readers;
+using SharpCompress.Writers;
+using SharpCompress.Writers.Zip;
+using Xunit;
+
+namespace SharpCompress.Test;
+
+public class ExtractionTests : TestBase
+{
+ [Fact]
+ public void Extraction_ShouldHandleCaseInsensitivePathsOnWindows()
+ {
+ // This test validates that extraction succeeds when Path.GetFullPath returns paths
+ // with casing that matches the platform's file system behavior. On Windows,
+ // Path.GetFullPath can return different casing than the actual directory on disk
+ // (e.g., "system32" vs "System32"), and the extraction should succeed because
+ // Windows file systems are case-insensitive. On Unix-like systems, this test
+ // verifies that the case-sensitive comparison is used correctly.
+
+ var testArchive = Path.Combine(SCRATCH2_FILES_PATH, "test-extraction.zip");
+ var extractPath = SCRATCH_FILES_PATH;
+
+ // Create a simple test archive with a single file
+ using (var stream = File.Create(testArchive))
+ {
+ using var writer = (ZipWriter)
+ WriterFactory.Open(stream, ArchiveType.Zip, CompressionType.Deflate);
+
+ // Create a test file to add to the archive
+ var testFilePath = Path.Combine(SCRATCH2_FILES_PATH, "testfile.txt");
+ File.WriteAllText(testFilePath, "Test content");
+
+ writer.Write("testfile.txt", testFilePath);
+ }
+
+ // Extract the archive - this should succeed regardless of path casing
+ using (var stream = File.OpenRead(testArchive))
+ {
+ using var reader = ReaderFactory.Open(stream);
+
+ // This should not throw an exception even if Path.GetFullPath returns
+ // a path with different casing than the actual directory
+ var exception = Record.Exception(() =>
+ reader.WriteAllToDirectory(
+ extractPath,
+ new ExtractionOptions { ExtractFullPath = false, Overwrite = true }
+ )
+ );
+
+ Assert.Null(exception);
+ }
+
+ // Verify the file was extracted successfully
+ var extractedFile = Path.Combine(extractPath, "testfile.txt");
+ Assert.True(File.Exists(extractedFile));
+ Assert.Equal("Test content", File.ReadAllText(extractedFile));
+ }
+
+ [Fact]
+ public void Extraction_ShouldPreventPathTraversalAttacks()
+ {
+ // This test ensures that the security check still works to prevent
+ // path traversal attacks (e.g., using "../" to escape the destination directory)
+
+ var testArchive = Path.Combine(SCRATCH2_FILES_PATH, "test-traversal.zip");
+ var extractPath = SCRATCH_FILES_PATH;
+
+ // Create a test archive with a path traversal attempt
+ using (var stream = File.Create(testArchive))
+ {
+ using var writer = (ZipWriter)
+ WriterFactory.Open(stream, ArchiveType.Zip, CompressionType.Deflate);
+
+ var testFilePath = Path.Combine(SCRATCH2_FILES_PATH, "testfile2.txt");
+ File.WriteAllText(testFilePath, "Test content");
+
+ // Try to write with a path that attempts to escape the destination directory
+ writer.Write("../../evil.txt", testFilePath);
+ }
+
+ // Extract the archive - this should throw an exception for path traversal
+ using (var stream = File.OpenRead(testArchive))
+ {
+ using var reader = ReaderFactory.Open(stream);
+
+ var exception = Assert.Throws(() =>
+ reader.WriteAllToDirectory(
+ extractPath,
+ new ExtractionOptions { ExtractFullPath = true, Overwrite = true }
+ )
+ );
+
+ Assert.Contains("outside of the destination", exception.Message);
+ }
+ }
+}