Skip to content

fix(security): sanitize archive extraction paths in RPA.Archive (zip slip)#1341

Open
mikahanninen wants to merge 1 commit into
masterfrom
fix/archive-zip-slip-1339
Open

fix(security): sanitize archive extraction paths in RPA.Archive (zip slip)#1341
mikahanninen wants to merge 1 commit into
masterfrom
fix/archive-zip-slip-1339

Conversation

@mikahanninen

Copy link
Copy Markdown
Collaborator

Summary

  • Fixes a Zip Slip / path traversal vulnerability (CWE-22) in RPA.Archive.Extract Archive. Both the zipfile and tarfile extraction branches called extractall() without validating member paths, so a crafted archive with an entry like ../../evil.py could write files outside the requested destination directory.
  • Adds _check_extraction_safety() which resolves each member's destination path and raises ValueError if it would escape the target directory, applied before extraction for both zip and tar archives (whole-archive and selected-members extraction).
  • Adds regression tests (tests/python/test_archive.py) covering rejected zip/tar traversal archives and a normal extraction still working.
  • Bumps rpaframework to 32.0.2 and updates release notes.

Fixes #1339, #1340.

Test plan

  • uv run pytest tests/python/test_archive.py -vv — 3 passed (rejects zip slip, rejects tar slip, normal extraction still works)
  • invoke code.test-robot -r archive — 19/19 existing Robot Framework tests still pass (no regression to normal extraction behavior)
  • pylint clean on Archive.py

🤖 Generated with Claude Code

…slip)

Extract Archive previously called zipfile/tarfile extractall() without
validating that member paths stayed within the destination directory,
allowing a crafted archive (e.g. a member named "../../evil.py") to
write files outside the requested extraction path (CWE-22).

Fixes #1339, #1340
@cursor

cursor Bot commented Jul 7, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

Wheel artifact

Built from commit 3cdc647 — download from the workflow run (Artifacts section at the bottom of the page).

Artifact name: rpaframework-wheel (retained 14 days)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: zip slip path traversal in rpaframework

1 participant