Add artifact malware quarantine guard#410
Open
KoiosSG wants to merge 2 commits into
Open
Conversation
Author
|
Hardening update pushed in c350c45: added ZIP Slip-style archive path traversal quarantine coverage for parent-directory, absolute, drive-rooted, UNC, and null-byte archive entries. Validation refreshed locally: npm run check, npm test (4 tests), npm run demo, npm run demo:video, ffprobe on reports/demo.mp4, git diff --check, and a sensitive-term scan with no matches. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
/claim #14
Summary
artifact-malware-quarantine-guard/slice for Scientific/Engineering Data & Code Hosting issue Scientific/Engineering Data & Code Hosting #14.Scope
This focuses specifically on malware, archive-bomb, archive path traversal, macro-enabled spreadsheet, unsafe model deserialization, embedded notebook script, denylisted checksum, and stale-scan gates before hosted artifacts are released.
It is distinct from the existing FAIR manifest/access, artifact package integrity, preview cache, raw/notebook preview, retention/tombstone, model-card lineage, license compatibility, sensitive-redaction, schema-evolution, data-dictionary, persistent-ID, SBOM, upload checkpoint, replica consistency, and column-sensitivity slices.
Hardening update
Validation
cd artifact-malware-quarantine-guard && npm run check-> passedcd artifact-malware-quarantine-guard && npm test-> artifact-malware-quarantine-guard tests passed (4)cd artifact-malware-quarantine-guard && npm run demo-> generated JSON/Markdown/SVG artifactscd artifact-malware-quarantine-guard && npm run demo:video-> generatedreports/demo.mp4ffprobeconfirmedreports/demo.mp4is H.264, 1280x720, 7.5s, 24fpsgit diff --check-> passedrg -n "(password|secret|wallet|paypal|bank|passport|private key|api key)" artifact-malware-quarantine-guard-> no matchesSafety
Synthetic data only. No credentials, private research files, network calls, live malware scanner calls, storage mutations, payment processor calls, or private dashboard data are included.
AI-assisted with OpenAI Codex; I reviewed and locally verified the diff before submitting.