Re: [PR] fix: harden ZIP safety checks (total-size cap, zero-division guard) and extension path matching [superset]

Mon, 01 Jun 2026 22:27:51 -0700 


Copilot commented on code in PR #40664:
URL: https://github.com/apache/superset/pull/40664#discussion_r3338875130


##########
superset/extensions/utils.py:
##########
@@ -36,7 +36,9 @@
 logger = logging.getLogger(__name__)
 
 FRONTEND_REGEX = re.compile(r"^frontend/dist/([^/]+)$")
-BACKEND_REGEX = re.compile(r"^backend/src/(.+)$")
+# Reject parent ("..") path components so a crafted entry name cannot produce
+# a traversal-style module path (defense in depth; check_is_safe_zip runs 
first).
+BACKEND_REGEX = re.compile(r"^backend/src/(?!.*\.\.)(.+)$")

Review Comment:
   The comment says we reject parent-directory path *components* (".."), but 
the regex actually rejects any occurrence of the substring ".." anywhere in the 
path. Either tighten the regex to only exclude traversal segments or update the 
comment to match what the pattern really does.



##########
superset/utils/core.py:
##########
@@ -2107,8 +2107,17 @@ def check_is_safe_zip(zip_file: ZipFile) -> None:
             raise SupersetException("Found file with size above allowed 
threshold")
         uncompress_size += zip_file_element.file_size
         compress_size += zip_file_element.compress_size
-    compress_ratio = uncompress_size / compress_size
-    if compress_ratio > app.config["ZIP_FILE_MAX_COMPRESS_RATIO"]:
+    # Bound the total decompressed size, not just the per-file size, so an
+    # archive of many individually-allowed entries cannot exhaust memory.
+    if uncompress_size > app.config["ZIP_FILE_MAX_TOTAL_SIZE"]:
+        raise SupersetException("Found total uncompressed size above allowed 
threshold")

Review Comment:
   Minor optimization: the total uncompressed-size cap is enforced only after 
the loop. You could fail fast by checking `uncompress_size` against 
`ZIP_FILE_MAX_TOTAL_SIZE` inside the loop right after incrementing it, and 
remove the post-loop check.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to