Avoid failing scans outright when encountering extraction failures

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

cmd/mal/mal.go

@@ -50,6 +50,7 @@ var (
 	allFlag                   bool
 	concurrencyFlag           int
 	diffImageFlag             bool
+	exitExtractionFlag        bool
 	exitFirstHitFlag          bool
 	exitFirstMissFlag         bool
 	fileRiskChangeFlag        bool
@@ -262,6 +263,7 @@ func main() {
 
 			mc = malcontent.Config{
 				Concurrency:           concurrency,
+				ExitExtraction:        exitExtractionFlag,
 				ExitFirstHit:          exitFirstHitFlag,
 				ExitFirstMiss:         exitFirstMissFlag,
 				IgnoreSelf:            ignoreSelfFlag,
@@ -287,6 +289,12 @@ func main() {
 				Usage:       "Ignore nothing within a provided scan path",
 				Destination: &allFlag,
 			},
+			&cli.BoolFlag{
+				Name:        "exit-extraction",
+				Value:       true,
+				Usage:       "Exit when encountering file extraction errors",
+				Destination: &exitExtractionFlag,
+			},
 			&cli.BoolFlag{
 				Name:        "exit-first-miss",
 				Value:       false,

pkg/action/archive_test.go

@@ -260,6 +260,95 @@ func TestScanArchive(t *testing.T) {
 	}
 }
 
+func extractError(e error) error {
+	if strings.Contains(e.Error(), "not a valid gzip archive") || strings.Contains(e.Error(), "not a valid zip file") {
+		return nil
+	}
+	return e
+}
+
+func TestScanInvalidArchive(t *testing.T) {
+	t.Parallel()
+	ctx := slogtest.Context(t)
+	clog.FromContext(ctx).With("test", "scan_archive")
+
+	var out bytes.Buffer
+	r, err := render.New("json", &out)
+	if err != nil {
+		t.Fatalf("render: %v", err)
+	}
+
+	rfs := []fs.FS{rules.FS, thirdparty.FS}
+	yrs, err := CachedRules(ctx, rfs)
+	if err != nil {
+		t.Fatalf("rules: %v", err)
+	}
+
+	mc := malcontent.Config{
+		Concurrency:    runtime.NumCPU(),
+		ExitExtraction: true,
+		IgnoreSelf:     false,
+		MinFileRisk:    0,
+		MinRisk:        0,
+		Renderer:       r,
+		Rules:          yrs,
+		ScanPaths: []string{
+			"testdata/17419.zip",
+			"testdata/joblib_0.9.4.dev0_compressed_cache_size_pickle_py35_np19.gz",
+		},
+	}
+	_, err = Scan(ctx, mc)
+	err = extractError(err)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestScanInvalidArchiveIgnore(t *testing.T) {
+	t.Parallel()
+	ctx := slogtest.Context(t)
+	clog.FromContext(ctx).With("test", "scan_archive")
+
+	var out bytes.Buffer
+	r, err := render.New("json", &out)
+	if err != nil {
+		t.Fatalf("render: %v", err)
+	}
+
+	rfs := []fs.FS{rules.FS, thirdparty.FS}
+	yrs, err := CachedRules(ctx, rfs)
+	if err != nil {
+		t.Fatalf("rules: %v", err)
+	}
+
+	mc := malcontent.Config{
+		Concurrency:    runtime.NumCPU(),
+		ExitExtraction: false,
+		IgnoreSelf:     false,
+		MinFileRisk:    0,
+		MinRisk:        0,
+		Renderer:       r,
+		Rules:          yrs,
+		ScanPaths: []string{
+			"testdata/17419.zip",
+			"testdata/joblib_0.9.4.dev0_compressed_cache_size_pickle_py35_np19.gz",
+		},
+	}
+	res, err := Scan(ctx, mc)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := r.Full(ctx, nil, res); err != nil {
+		t.Fatalf("full: %v", err)
+	}
+
+	got := out.String()
+	want := "{}\n"
+	if diff := cmp.Diff(want, got); diff != "" {
+		t.Errorf("output mismatch: (-want +got):\n%s", diff)
+	}
+}
+
 func TestGetExt(t *testing.T) {
 	tests := []struct {
 		path string

pkg/action/scan.go

@@ -630,6 +630,11 @@ func processArchive(ctx context.Context, c malcontent.Config, rfs []fs.FS, archi
 
 	tmpRoot, err := archive.ExtractArchiveToTempDir(ctx, archivePath)
 	if err != nil {
+		// Avoid failing an entire scan when encountering problematic archives
+		// e.g., joblib_0.8.4_compressed_pickle_py27_np17.gz: not a valid gzip archive
+		if !c.ExitExtraction {
+			return nil, nil
+		}
 		return nil, fmt.Errorf("extract to temp: %w", err)
 	}
 	// Ensure that tmpRoot is removed before returning if created successfully

pkg/action/testdata/17419.zip

@@ -0,0 +1,26 @@
+Advisory :
+
+
+Abysssec Public Exploit :
+
+This module exploits a code execution vulnerability in Mozilla
+Firefox <= 3.6.16 caused by nsTreeSelection element. The specific flaw
+exists within the way Firefox handles user defined functions of
+a nsTreeSelection element. When executing the function
+invalidateSelection it is possible to free the nsTreeSelection object
+that the function operates on. Any further operations on the freed
+object can result in remote code execution.this exploit module is only
+tested on win7 and used a Another JAVA ROPto defeat DEP/ASLR (due to
+there is no more non-aslr module in Firefox) and in my tests works
+reliably on Windows7.
+
+there is two version of this exploit XP and 7 and both use different
+method that used in MSF Exploit bounty !
+
+XP   Version: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17419-1.zip (nsTreeRange_XP.zip)
+Win7 Version: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17419-2.zip (nsTreeRange_7.zip)
+
+
+
+
+questions / comments : Info [at] abysssec.com

pkg/action/testdata/joblib_0.9.4.dev0_compressed_cache_size_pickle_py35_np19.gz

@@ -23,6 +23,7 @@ type Renderer interface {
 
 type Config struct {
 	Concurrency           int
+	ExitExtraction        bool
 	ExitFirstHit          bool
 	ExitFirstMiss         bool
 	FileRiskChange        bool