-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plugin-ext: update 'decompress' #7319
Comments
I think we're decompressing with zip for |
Thank you, we should find a suitable alternative that handles them all. |
@vince-fugnitto @marcdumais-work @spoenemann maybe it is time to publish next versions as preview extensions into our registry and drop npm support |
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. This commit includes an archive that will trigger the exploit by writing a file to `/tmp/slipped.txt`. This comes from kevva/decompress#71 (comment) Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. This commit includes an archive that will trigger the exploit by writing a file to `/tmp/slipped.txt`. This comes from kevva/decompress#71 (comment) Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
Does this refer to the fact that we initially published the VS Code builtins on npm? Are there other VS Code extensions published on npm that we know about? Anyway, will not npm/yarn take care of unzipping the archive downloaded from npm? Can we drop Note:
|
Yes, it is only about built-ins.
We don't use npm/yarn to download anything. @spoenemann Is there a way to publish a new version to Open VSX Registry but not like latest? What we need is to have for exactly the same unique id to versions one latest for tested version and one next to nightly build. |
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. This commit includes an archive that will trigger the exploit by writing a file to `/tmp/slipped.txt`. This comes from magicOz, who reported the vulnerability on kevva's decompress repository (issue 71). Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
package.json has a |
@spoenemann It sounds fine. I'm more concerned whether current registry api can provide a stable URI for latest and next versions? i.e. something like |
Description
The
decompress
dependency (part ofplugin-ext
) has a known security vulnerability which has been reported by the security-audit.The issue is that
decompress
is not well-maintained (3 years since the last release) and it is unlikely that the flaw will be resolved. We should instead opt for a license compatible alternative which is maintained.Update
decompress
has been updated and no longer has a security advisory so there is no need to find an alternative, we can instead update the dependency todecompress >= 4.2.1
The text was updated successfully, but these errors were encountered: