Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Codeql detects zipslip vulnerability #8209

Merged
merged 1 commit into from
Apr 4, 2023
Merged

Codeql detects zipslip vulnerability #8209

merged 1 commit into from
Apr 4, 2023

Conversation

laurit
Copy link
Contributor

@laurit laurit commented Apr 4, 2023

I think that the only way zipslip could happen is when name contains .. but codeql isn't able to cope with that. Removing the .. check gets rid of the code scanning alert.

@laurit laurit requested a review from a team April 4, 2023 15:18
@trask
Copy link
Member

trask commented Apr 4, 2023

I think that the only way zipslip could happen is when name contains .. but codeql isn't able to cope with that. Removing the .. check gets rid of the code scanning alert.

where are you seeing the codeql failure?

@breedx-splk
Copy link
Contributor

breedx-splk commented Apr 4, 2023
edited
Loading

@laurit Would you mind linking to or screenshotting the codeql output? I couldn't find it in the nightly output.

This fix is counterintuitive to me -- the .. check appeared to be trying to prevent zipslip like content, but with it removed it would be allowed. This also leaves behind the comment about zipslip, even tho the check is removed.

Edit: Ok, after further looking, the .. check isn't maybe robust enough in the first place, and the remaining startsWith fix follows the Java validation pattern shown here. 👍🏻

breedx-splk
breedx-splk reviewed Apr 4, 2023
View reviewed changes
javaagent-tooling/src/main/java/io/opentelemetry/javaagent/tooling/ExtensionClassLoader.java
if (!tempFile
.getCanonicalFile()
.toPath()
.startsWith(tempDirectory.getCanonicalFile().toPath())) {
Copy link
Contributor

@breedx-splk breedx-splk Apr 4, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
.startsWith(tempDirectory.getCanonicalFile().toPath())) {
.startsWith(tempDirectory.getCanonicalPath() + File.separator)) {

It looks like appending the file separator to the end of the expected path is important in order to prevent writing to a neighboring directory. That is, if the actual temp dir is /tmp and the file coming in from the zip somehow crafts ../../../../tmpOther it could possibly write to /tmpOther which should also be prevented.

@laurit
Copy link
Contributor Author

laurit commented Apr 4, 2023

where are you seeing the codeql failure?

https://github.com/open-telemetry/opentelemetry-java-instrumentation/security/code-scanning

@trask trask merged commit e0ecb56 into open-telemetry:main Apr 4, 2023
@laurit laurit deleted the codeql-zipslip branch July 6, 2023 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@breedx-splk breedx-splk breedx-splk left review comments

@mateuszrzeszutek mateuszrzeszutek mateuszrzeszutek approved these changes

@trask trask trask approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@laurit @trask @breedx-splk @mateuszrzeszutek