GXCompress .NET implementation#1108
Conversation
Cherry pick to beta failed, 1 conflicted file in commit 0e4f16d
|
Manual cherry pick to beta success |
Cherry pick to beta success |
Cherry pick to beta failed, 1 conflicted file in commit 4a4bfbd
|
Manual cherry pick to beta success |
Cherry pick to beta success |
Cherry pick to beta success |
Cherry pick to beta success |
Cherry pick to beta failed, 1 conflicted file in commit c02af46
|
Manual cherry pick to beta success |
Cherry pick to beta success |
| { | ||
| foreach (var entry in archive.Entries) | ||
| { | ||
| string fullPath = Path.Combine(outputPath, entry.FullName); |
Check failure
Code scanning / CodeQL
Arbitrary file access during archive extraction ("Zip Slip")
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 year ago
To fix the issue, we need to validate the paths derived from entry.FullName to ensure they do not escape the intended outputPath directory. The fix involves:
- Using
Path.GetFullPathto resolve the full path of the constructed file path (fullPath). - Using
Path.GetFullPathto resolve the full path of theoutputPathdirectory, ensuring it ends with a directory separator. - Verifying that the resolved
fullPathstarts with the resolvedoutputPath. If it does not, an exception is thrown. - Applying the same validation logic to both
DecompressZipandDecompressJarmethods.
| @@ -604,3 +604,8 @@ | ||
| { | ||
| string fullPath = Path.Combine(outputPath, entry.FullName); | ||
| string fullPath = Path.GetFullPath(Path.Combine(outputPath, entry.FullName)); | ||
| string fullOutputPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar); | ||
| if (!fullPath.StartsWith(fullOutputPath, StringComparison.Ordinal)) | ||
| { | ||
| throw new InvalidOperationException($"Entry is outside the target directory: {entry.FullName}"); | ||
| } | ||
| if (string.IsNullOrEmpty(entry.Name)) | ||
| @@ -620,3 +625,2 @@ | ||
| #endif | ||
|
|
||
| entry.ExtractToFile(fullPath, true); | ||
| @@ -743,3 +747,8 @@ | ||
| { | ||
| string destinationPath = Path.Combine(outputPath, entry.FullName); | ||
| string destinationPath = Path.GetFullPath(Path.Combine(outputPath, entry.FullName)); | ||
| string fullOutputPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar); | ||
| if (!destinationPath.StartsWith(fullOutputPath, StringComparison.Ordinal)) | ||
| { | ||
| throw new InvalidOperationException($"Entry is outside the target directory: {entry.FullName}"); | ||
| } | ||
| if (string.IsNullOrEmpty(entry.Name)) |
| { | ||
| foreach (var entry in archive.Entries) | ||
| { | ||
| string destinationPath = Path.Combine(outputPath, entry.FullName); |
Check failure
Code scanning / CodeQL
Arbitrary file access during archive extraction ("Zip Slip")
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 year ago
To fix the issue, we need to validate and sanitize the paths derived from entry.FullName to ensure they do not escape the intended outputPath. The fix involves:
- Using
Path.GetFullPathto resolve the full path of the destination file, which normalizes the path and resolves any directory traversal elements. - Using
Path.GetFullPathon theoutputPathto determine the fully resolved path of the destination directory. - Validating that the resolved destination file path starts with the resolved destination directory path. If it does not, an exception is thrown.
- Proceeding with file extraction only if the validation passes.
This ensures that all extracted files remain within the intended directory.
| @@ -743,3 +743,8 @@ | ||
| { | ||
| string destinationPath = Path.Combine(outputPath, entry.FullName); | ||
| string destinationPath = Path.GetFullPath(Path.Combine(outputPath, entry.FullName)); | ||
| string fullOutputPath = Path.GetFullPath(outputPath + Path.DirectorySeparatorChar); | ||
| if (!destinationPath.StartsWith(fullOutputPath, StringComparison.Ordinal)) | ||
| { | ||
| throw new InvalidOperationException($"Entry is outside the target directory: {entry.FullName}"); | ||
| } | ||
| if (string.IsNullOrEmpty(entry.Name)) |
…to include only the minimum required support for .NET Framework in GAM.
Cherry pick to beta success |
Cherry pick to beta success |
No description provided.