Skip to content

Add warning to ZipFile.ExtractToDirectory and ExtractToDirectoryAsync docs#12355

Merged
gewarren merged 4 commits into
mainfrom
copilot/add-security-warning-zipfile-extract
Feb 28, 2026
Merged

Add warning to ZipFile.ExtractToDirectory and ExtractToDirectoryAsync docs#12355
gewarren merged 4 commits into
mainfrom
copilot/add-security-warning-zipfile-extract

Conversation

Copilot AI commented Feb 27, 2026

Copy link
Copy Markdown
Contributor
  • Add security warning to all 16 ExtractToDirectory and ExtractToDirectoryAsync overloads
  • Convert all remarks sections to full <format type="text/markdown"> format
  • Fix reversed entryNameEncoding condition description in two async overloads
  • Split overly long paragraph in string-based async methods for readability
  • Remove extra whitespace after > in all 16 warning lines (> This method> This method)

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

@github-actions github-actions Bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Feb 27, 2026
…toryAsync remarks

Co-authored-by: rzikm <32671551+rzikm@users.noreply.github.com>
Copilot AI changed the title [WIP] Add security warning for ZipFile.ExtractToDirectory methods Add zip-bomb security warning to ZipFile.ExtractToDirectory and ExtractToDirectoryAsync docs Feb 27, 2026
@rzikm rzikm added area-System.IO.Compression and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels Feb 27, 2026
@dotnet-policy-service

Copy link
Copy Markdown
Contributor

Tagging subscribers to this area: @dotnet/area-system-io-compression

@rzikm

rzikm commented Feb 27, 2026

Copy link
Copy Markdown
Member

cc @GrabYourPitchforks, @blowdart for wording

@rzikm rzikm requested a review from gewarren February 27, 2026 14:04
@rzikm rzikm marked this pull request as ready for review February 27, 2026 14:04
@rzikm rzikm requested a review from a team as a code owner February 27, 2026 14:04
Copilot AI review requested due to automatic review settings February 27, 2026 14:04
@rzikm rzikm changed the title Add zip-bomb security warning to ZipFile.ExtractToDirectory and ExtractToDirectoryAsync docs Add warning to ZipFile.ExtractToDirectory and ExtractToDirectoryAsync docs Feb 27, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds security warnings to all ZipFile.ExtractToDirectory and ExtractToDirectoryAsync methods, alerting developers that these convenience APIs don't enforce limits on uncompressed size or entry count, making them vulnerable to zip-bomb attacks when used with untrusted archives.

Changes:

  • Added security warnings to 16 method overloads in ZipFile.xml
  • Warning directs users to manually iterate entries using ZipArchive and validate limits before extraction
  • Applied consistent warning text across three different XML documentation formats (markdown, para, plain text)

Comment thread xml/System.IO.Compression/ZipFile.xml Outdated
… fix encoding condition order

Co-authored-by: rzikm <32671551+rzikm@users.noreply.github.com>

@gewarren gewarren left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Please remove one of the whitespace characters after the '>' character throughout this PR.

Comment thread xml/System.IO.Compression/ZipFile.xml Outdated
Comment thread xml/System.IO.Compression/ZipFile.xml Outdated
Comment thread xml/System.IO.Compression/ZipFile.xml Outdated
Comment thread xml/System.IO.Compression/ZipFile.xml Outdated
Co-authored-by: gewarren <24882762+gewarren@users.noreply.github.com>

Copilot AI commented Feb 28, 2026

Copy link
Copy Markdown
Contributor Author

@copilot Please remove one of the whitespace characters after the '>' character throughout this PR.

Done in f4a0248. Removed the extra space from all 16 warning lines (> This method> This method).

@gewarren gewarren enabled auto-merge (squash) February 28, 2026 17:20
@gewarren gewarren merged commit ee4386f into main Feb 28, 2026
6 checks passed
@gewarren gewarren deleted the copilot/add-security-warning-zipfile-extract branch February 28, 2026 17:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants