Re: [PR] fix: harden ZIP safety checks (total-size cap, zero-division guard) and extension path matching [superset]

Tue, 02 Jun 2026 08:24:37 -0700 


rusackas commented on code in PR #40664:
URL: https://github.com/apache/superset/pull/40664#discussion_r3342385194


##########
superset/extensions/utils.py:
##########
@@ -36,7 +36,9 @@
 logger = logging.getLogger(__name__)
 
 FRONTEND_REGEX = re.compile(r"^frontend/dist/([^/]+)$")
-BACKEND_REGEX = re.compile(r"^backend/src/(.+)$")
+# Reject parent ("..") path components so a crafted entry name cannot produce
+# a traversal-style module path (defense in depth; check_is_safe_zip runs 
first).
+BACKEND_REGEX = re.compile(r"^backend/src/(?!.*\.\.)(.+)$")

Review Comment:
   Good catch on the comment/regex mismatch. Since I want to keep the 
conservative `(?!.*\.\.)` guard (extension module paths never embed consecutive 
dots in practice, and `check_is_safe_zip` is the primary defense), I updated 
the comment to accurately describe that it rejects any `..` substring rather 
than just parent-directory segments. Fixed in d47de893b0.



##########
superset/utils/core.py:
##########
@@ -2107,8 +2107,17 @@ def check_is_safe_zip(zip_file: ZipFile) -> None:
             raise SupersetException("Found file with size above allowed 
threshold")
         uncompress_size += zip_file_element.file_size
         compress_size += zip_file_element.compress_size
-    compress_ratio = uncompress_size / compress_size
-    if compress_ratio > app.config["ZIP_FILE_MAX_COMPRESS_RATIO"]:
+    # Bound the total decompressed size, not just the per-file size, so an
+    # archive of many individually-allowed entries cannot exhaust memory.
+    if uncompress_size > app.config["ZIP_FILE_MAX_TOTAL_SIZE"]:
+        raise SupersetException("Found total uncompressed size above allowed 
threshold")

Review Comment:
   Makes sense — moved the total-size cap inside the loop so it fails fast on 
the first entry that pushes the running total past `ZIP_FILE_MAX_TOTAL_SIZE`, 
and dropped the redundant post-loop check. Fixed in d47de893b0.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to