odaysec opened a new pull request, #34982: URL: https://github.com/apache/beam/pull/34982
https://github.com/apache/beam/blob/75cf7e182c9af656db147050f2cab1b7b374ee97/sdks/go/pkg/beam/core/runtime/xlangx/expansionx/download.go#L142-L164 To fix the issue, we need to validate the file paths extracted from the zip archive to ensure they do not contain directory traversal elements (`..`) and are confined to the intended destination directory. This can be achieved by resolving the absolute path of the constructed `fileName` and ensuring it is a subpath of the `dest` directory. If the validation fails, the file should be skipped or an error should be raised. The fix involves: 1. Resolving the absolute path of `fileName` using `filepath.Abs`. 2. Ensuring that the resolved path starts with the absolute path of the `dest` directory. 3. Skipping or rejecting files that fail this validation. --- Extracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths. Zip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files. For example, if a zip file contains a file entry `..\beam-file`, and the zip file is extracted to the directory `c:\output`, then naively combining the paths would result in an output file path of `c:\output\..\beam-file`, which would cause the file to be written to `c:\beam-file`. In this an archive is extracted without validating file paths. If archive.zip contained relative paths (for instance, if it were created by something like zip archive.zip ../file.txt) then executing this code could write to locations outside the destination directory. ```go package main import ( "archive/zip" "io/ioutil" "path/filepath" ) func unzip(f string) { r, _ := zip.OpenReader(f) for _, f := range r.File { p, _ := filepath.Abs(f.Name) // BAD: This could overwrite any file on the file system ioutil.WriteFile(p, []byte("present"), 0666) } } ``` To fix this vulnerability, we need to check that the path does not contain any "`..`" elements in it. ```go package main import ( "archive/zip" "io/ioutil" "path/filepath" "strings" ) func unzipGood(f string) { r, _ := zip.OpenReader(f) for _, f := range r.File { p, _ := filepath.Abs(f.Name) // GOOD: Check that path does not contain ".." before using it if !strings.Contains(f.Name, "..") { ioutil.WriteFile(p, []byte("present"), 0666) } } } ``` ## References [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability) [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) [CWE-22](https://cwe.mitre.org/data/definitions/22.html) ------------------------ Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily: - [ ] Mention the appropriate issue in your description (for example: `addresses #123`), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment `fixes #<ISSUE NUMBER>` instead. - [ ] Update `CHANGES.md` with noteworthy changes. - [ ] If this contribution is large, please file an Apache [Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf). See the [Contributor Guide](https://beam.apache.org/contribute) for more tips on [how to make review process smoother](https://github.com/apache/beam/blob/master/CONTRIBUTING.md#make-the-reviewers-job-easier). To check the build health, please visit [https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md](https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md) GitHub Actions Tests Status (on master branch) ------------------------------------------------------------------------------------------------ [](https://github.com/apache/beam/actions?query=workflow%3A%22Build+python+source+distribution+and+wheels%22+branch%3Amaster+event%3Aschedule) [](https://github.com/apache/beam/actions?query=workflow%3A%22Python+Tests%22+branch%3Amaster+event%3Aschedule) [](https://github.com/apache/beam/actions?query=workflow%3A%22Java+Tests%22+branch%3Amaster+event%3Aschedule) [](https://github.com/apache/beam/actions?query=workflow%3A%22Go+tests%22+branch%3Amaster+event%3Aschedule) See [CI.md](https://github.com/apache/beam/blob/master/CI.md) for more information about GitHub Actions CI or the [workflows README](https://github.com/apache/beam/blob/master/.github/workflows/README.md) to see a list of phrases to trigger workflows. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
