Skip to content

GXCompress .NET implementation#1108

Merged
tomas-sexenian merged 23 commits into
masterfrom
compress
Jul 15, 2025
Merged

GXCompress .NET implementation#1108
tomas-sexenian merged 23 commits into
masterfrom
compress

Conversation

@tomas-sexenian

Copy link
Copy Markdown
Contributor

No description provided.

@tomas-sexenian tomas-sexenian temporarily deployed to external-storage-tests February 26, 2025 15:26 — with GitHub Actions Inactive
Comment thread dotnet/src/dotnetcore/GXCompress/GXCompressor.cs Fixed
Comment thread dotnet/src/dotnetcore/GXCompress/GXCompressor.cs Fixed
@tomas-sexenian tomas-sexenian temporarily deployed to external-storage-tests February 26, 2025 16:04 — with GitHub Actions Inactive
@tomas-sexenian tomas-sexenian marked this pull request as ready for review February 26, 2025 16:04
@genexusbot

Copy link
Copy Markdown
Contributor
Cherry pick to beta failed, 1 conflicted file in commit 0e4f16d
  • dotnet/DotNetStandardClasses.sln

@genexusbot genexusbot added the conflict Conflict merging to beta branch label Feb 26, 2025
@genexusbot

Copy link
Copy Markdown
Contributor
Manual cherry pick to beta success

@genexusbot

Copy link
Copy Markdown
Contributor
Cherry pick to beta success

@genexusbot genexusbot removed the conflict Conflict merging to beta branch label Feb 26, 2025
@tomas-sexenian tomas-sexenian had a problem deploying to external-storage-tests March 7, 2025 14:49 — with GitHub Actions Failure
@genexusbot

Copy link
Copy Markdown
Contributor
Cherry pick to beta success

@tomas-sexenian tomas-sexenian temporarily deployed to external-storage-tests March 10, 2025 14:39 — with GitHub Actions Inactive
@genexusbot

Copy link
Copy Markdown
Contributor
Cherry pick to beta success

@sgrampone sgrampone temporarily deployed to external-storage-tests March 31, 2025 17:11 — with GitHub Actions Inactive
@genexusbot

Copy link
Copy Markdown
Contributor
Cherry pick to beta failed, 1 conflicted file in commit 4a4bfbd
  • dotnet/DotNetStandardClasses.sln

@genexusbot genexusbot added the conflict Conflict merging to beta branch label Mar 31, 2025
@genexusbot

Copy link
Copy Markdown
Contributor
Manual cherry pick to beta success

@genexusbot genexusbot removed the conflict Conflict merging to beta branch label Mar 31, 2025
@sgrampone sgrampone temporarily deployed to external-storage-tests March 31, 2025 19:45 — with GitHub Actions Inactive
@genexusbot

Copy link
Copy Markdown
Contributor
Cherry pick to beta success

@genexusbot

Copy link
Copy Markdown
Contributor
Cherry pick to beta success

@claudiamurialdo claudiamurialdo had a problem deploying to external-storage-tests April 18, 2025 19:19 — with GitHub Actions Failure
@genexusbot

Copy link
Copy Markdown
Contributor
Cherry pick to beta success

@claudiamurialdo claudiamurialdo had a problem deploying to external-storage-tests April 18, 2025 19:31 — with GitHub Actions Failure
@genexusbot

Copy link
Copy Markdown
Contributor
Cherry pick to beta failed, 1 conflicted file in commit c02af46
  • dotnet/DotNetStandardClasses.sln

@genexusbot genexusbot added the conflict Conflict merging to beta branch label Apr 18, 2025
@claudiamurialdo claudiamurialdo temporarily deployed to external-storage-tests April 18, 2025 19:31 — with GitHub Actions Inactive
@genexusbot

Copy link
Copy Markdown
Contributor
Manual cherry pick to beta success

@genexusbot

Copy link
Copy Markdown
Contributor
Cherry pick to beta success

@genexusbot genexusbot removed the conflict Conflict merging to beta branch label Apr 18, 2025
{
foreach (var entry in archive.Entries)
{
string fullPath = Path.Combine(outputPath, entry.FullName);

Check failure

Code scanning / CodeQL

Arbitrary file access during archive extraction ("Zip Slip")

Unsanitized archive entry, which may contain '..', is used in a [file system operation](1).

Copilot Autofix

AI about 1 year ago

To fix the issue, we need to validate the paths derived from entry.FullName to ensure they do not escape the intended outputPath directory. The fix involves:

  1. Using Path.GetFullPath to resolve the full path of the constructed file path (fullPath).
  2. Using Path.GetFullPath to resolve the full path of the outputPath directory, ensuring it ends with a directory separator.
  3. Verifying that the resolved fullPath starts with the resolved outputPath. If it does not, an exception is thrown.
  4. Applying the same validation logic to both DecompressZip and DecompressJar methods.

Suggested changeset 1
dotnet/src/dotnetframework/GxCompress/GXCompressor.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/dotnet/src/dotnetframework/GxCompress/GXCompressor.cs b/dotnet/src/dotnetframework/GxCompress/GXCompressor.cs
--- a/dotnet/src/dotnetframework/GxCompress/GXCompressor.cs
+++ b/dotnet/src/dotnetframework/GxCompress/GXCompressor.cs
@@ -604,3 +604,8 @@
 				{
-					string fullPath = Path.Combine(outputPath, entry.FullName);
+					string fullPath = Path.GetFullPath(Path.Combine(outputPath, entry.FullName));
+					string fullOutputPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar);
+					if (!fullPath.StartsWith(fullOutputPath, StringComparison.Ordinal))
+					{
+						throw new InvalidOperationException($"Entry is outside the target directory: {entry.FullName}");
+					}
 					if (string.IsNullOrEmpty(entry.Name))
@@ -620,3 +625,2 @@
 #endif
-
 						entry.ExtractToFile(fullPath, true);
@@ -743,3 +747,8 @@
 				{
-					string destinationPath = Path.Combine(outputPath, entry.FullName);
+					string destinationPath = Path.GetFullPath(Path.Combine(outputPath, entry.FullName));
+					string fullOutputPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar);
+					if (!destinationPath.StartsWith(fullOutputPath, StringComparison.Ordinal))
+					{
+						throw new InvalidOperationException($"Entry is outside the target directory: {entry.FullName}");
+					}
 					if (string.IsNullOrEmpty(entry.Name))
EOF
@@ -604,3 +604,8 @@
{
string fullPath = Path.Combine(outputPath, entry.FullName);
string fullPath = Path.GetFullPath(Path.Combine(outputPath, entry.FullName));
string fullOutputPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar);
if (!fullPath.StartsWith(fullOutputPath, StringComparison.Ordinal))
{
throw new InvalidOperationException($"Entry is outside the target directory: {entry.FullName}");
}
if (string.IsNullOrEmpty(entry.Name))
@@ -620,3 +625,2 @@
#endif

entry.ExtractToFile(fullPath, true);
@@ -743,3 +747,8 @@
{
string destinationPath = Path.Combine(outputPath, entry.FullName);
string destinationPath = Path.GetFullPath(Path.Combine(outputPath, entry.FullName));
string fullOutputPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar);
if (!destinationPath.StartsWith(fullOutputPath, StringComparison.Ordinal))
{
throw new InvalidOperationException($"Entry is outside the target directory: {entry.FullName}");
}
if (string.IsNullOrEmpty(entry.Name))
Copilot is powered by AI and may make mistakes. Always verify output.
{
foreach (var entry in archive.Entries)
{
string destinationPath = Path.Combine(outputPath, entry.FullName);

Check failure

Code scanning / CodeQL

Arbitrary file access during archive extraction ("Zip Slip")

Unsanitized archive entry, which may contain '..', is used in a [file system operation](1).

Copilot Autofix

AI about 1 year ago

To fix the issue, we need to validate and sanitize the paths derived from entry.FullName to ensure they do not escape the intended outputPath. The fix involves:

  1. Using Path.GetFullPath to resolve the full path of the destination file, which normalizes the path and resolves any directory traversal elements.
  2. Using Path.GetFullPath on the outputPath to determine the fully resolved path of the destination directory.
  3. Validating that the resolved destination file path starts with the resolved destination directory path. If it does not, an exception is thrown.
  4. Proceeding with file extraction only if the validation passes.

This ensures that all extracted files remain within the intended directory.


Suggested changeset 1
dotnet/src/dotnetframework/GxCompress/GXCompressor.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/dotnet/src/dotnetframework/GxCompress/GXCompressor.cs b/dotnet/src/dotnetframework/GxCompress/GXCompressor.cs
--- a/dotnet/src/dotnetframework/GxCompress/GXCompressor.cs
+++ b/dotnet/src/dotnetframework/GxCompress/GXCompressor.cs
@@ -743,3 +743,8 @@
 				{
-					string destinationPath = Path.Combine(outputPath, entry.FullName);
+					string destinationPath = Path.GetFullPath(Path.Combine(outputPath, entry.FullName));
+					string fullOutputPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar);
+					if (!destinationPath.StartsWith(fullOutputPath, StringComparison.Ordinal))
+					{
+						throw new InvalidOperationException($"Entry is outside the target directory: {entry.FullName}");
+					}
 					if (string.IsNullOrEmpty(entry.Name))
EOF
@@ -743,3 +743,8 @@
{
string destinationPath = Path.Combine(outputPath, entry.FullName);
string destinationPath = Path.GetFullPath(Path.Combine(outputPath, entry.FullName));
string fullOutputPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar);
if (!destinationPath.StartsWith(fullOutputPath, StringComparison.Ordinal))
{
throw new InvalidOperationException($"Entry is outside the target directory: {entry.FullName}");
}
if (string.IsNullOrEmpty(entry.Name))
Copilot is powered by AI and may make mistakes. Always verify output.
…to include only the minimum required support for .NET Framework in GAM.
@claudiamurialdo claudiamurialdo temporarily deployed to external-storage-tests April 22, 2025 14:50 — with GitHub Actions Inactive
@genexusbot

Copy link
Copy Markdown
Contributor
Cherry pick to beta success

@claudiamurialdo claudiamurialdo temporarily deployed to kafka-integration-tests April 24, 2025 18:32 — with GitHub Actions Inactive
@claudiamurialdo claudiamurialdo temporarily deployed to external-storage-tests April 24, 2025 18:32 — with GitHub Actions Inactive
@genexusbot

Copy link
Copy Markdown
Contributor
Cherry pick to beta success

@tomas-sexenian tomas-sexenian temporarily deployed to kafka-integration-tests May 26, 2025 13:08 — with GitHub Actions Inactive
@tomas-sexenian tomas-sexenian had a problem deploying to external-storage-tests May 26, 2025 13:08 — with GitHub Actions Failure
@tomas-sexenian tomas-sexenian merged commit 56bef53 into master Jul 15, 2025
8 of 10 checks passed
@tomas-sexenian tomas-sexenian deleted the compress branch July 15, 2025 13:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants