-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plugin-ext: validate path when unpacking archives #7322
Conversation
19491bf
to
94fbe5b
Compare
packages/plugin-ext/src/main/node/plugin-deployer-file-handler-context-impl.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I'm fine with having safety measures for zip-slip
(arbitrary file-write) including the additional tests, I think we should still look for a replacement to decompress
. The project is not actively maintained and will likely cause more issues going forward. In addition, since the flaw is not patched in decompress
, the security vulnerability will still show up for @theia/plugin-ext
. Also, if someone still happens to use decompress
in another area of the code, it will not benefit from the same patching.
It looks like we only need a dependency capable of handling zip
archives so it should be easy to find a maintained alternative.
TBH I don't really care. I like I'll still update this PR based on Anton's comment, feel free to open a separate PR that would replace the dependency by something else if this is an hard requirement. |
94fbe5b
to
2f50182
Compare
I find this to be a compelling argument. If we keep |
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. This commit includes an archive that will trigger the exploit by writing a file to `/tmp/slipped.txt`. This comes from magicOz, who reported the vulnerability on kevva's decompress repository (issue 71). Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
2f50182
to
a869853
Compare
Preferred way is to change the dependency. |
What it does
Fix zip-slip by validating where a given file will be unpacked. If the
expected path is outside of the destination folder: log a warning and
ignore the file.
Fixes #7319
How to test
Tests should fail if you comment lines 32 to 44 in
plugin-deployer-file-handler-context-impl.ts
.Review checklist
Reminder for reviewers