asf-tooling opened a new issue, #981:
URL: https://github.com/apache/tooling-trusted-releases/issues/981
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The archive extraction functions return `0` instead of `total_extracted`
when skipping certain members (metadata files, device files, unsafe paths).
This resets the running size counter, allowing attackers to bypass the
extraction size limit by interleaving skipped members with large files.
Attackers can extract 150MB+ archives despite 100MB limits by interleaving
metadata files.
### Details
**Affected Files and Lines:**
- `atr/archives.py:143-159` - TAR extraction with size reset
- `atr/archives.py:227-236` - ZIP extraction with size reset
When skipping members, the functions return 0 instead of preserving the
accumulated total_extracted value, resetting the size counter.
### Recommended Remediation
Fix all return paths in both `_tar_archive_extract_member` and
`_zip_archive_extract_member` to return `total_extracted` instead of `0` when
skipping members:
```python
# In _tar_archive_extract_member
if should_skip_member:
return total_extracted # Don't reset counter
# In _zip_archive_extract_member
if should_skip_member:
return total_extracted # Don't reset counter
```
Add verification tests that create archives with interleaved metadata files
and verify the size limit is enforced.
### Acceptance Criteria
- [ ] Size counter preserved when skipping
- [ ] All return paths fixed
- [ ] TAR extraction corrected
- [ ] ZIP extraction corrected
- [ ] Integration test with interleaved files
- [ ] Unit test verifying the fix
### References
- Source reports: L2:15.2.2.md
- Related findings: None
- ASVS sections: 15.2.2
### Priority
High
---
---
### Consolidated: FINDING-088 - Archive Extraction Size Limit Bypass via
Metadata File Counter Reset
**ASVS Level(s):** [L1]
**Description:**
### Summary
The archive extraction functions contain a bug where returning 0 instead of
total_extracted when skipping metadata files causes the extraction size counter
to reset. This allows attackers to bypass the documented maximum extraction
size limit (1GB) by interleaving skipped files between large files.
Authenticated users can bypass documented extraction size limits, potentially
causing disk exhaustion during SBOM generation or archive processing.
### Details
Affected locations:
- `atr/archives.py` lines 95-98, 100-102, 159-161: Return 0 instead of
total_extracted
- `atr/archives.py` lines 180-220: `_tar_archive_extract_member()`
- `atr/archives.py` lines 250-290: `_zip_archive_extract_member()`
The functions return 0 for extracted size when skipping macOS metadata files
(`._*` prefix) or device files, instead of returning the accumulated
`total_extracted` value. This resets the counter, allowing unlimited extraction
by interleaving skipped files.
### Recommended Remediation
Change the return statement from `return 0, extracted_paths` to `return
total_extracted, extracted_paths` when skipping metadata files (`._*` prefix)
and device files. This preserves the counter across all extraction operations:
```python
# When skipping files:
if should_skip:
return total_extracted, extracted_paths # Not 0
```
Change early returns in `_tar_archive_extract_member()` and
`_zip_archive_extract_member()` to return `total_extracted` instead of 0 when
skipping files.
### Acceptance Criteria
- [ ] Extraction size counter is not reset when skipping files
- [ ] Maximum extraction size limit is enforced correctly
- [ ] Test case verifying interleaved skipped files cannot bypass limit
- [ ] Unit test verifying the fix
### References
- Source reports: L1:2.1.1.md, L1:2.2.1.md
- Related findings: None
- ASVS sections: 2.1.1, 2.2.1
### Priority
Medium
---
---
**Triage notes:** confirm
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
