-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixing scanning issue of jars inside war files #22
Conversation
Do you have an example war file where it goes wrong? I tested on the following WAR file: https://get.jenkins.io/war-stable/1.409.3/jenkins.war
|
You're right, it works on Python 3.8.5. On Python 3.6.9, the same command gives this (i.e., fails silently):
With the debug output: |
Just realized Python 3.6.9 does not work anyway with more recent changes
Until zipfile.Path was added, this would have fixed the script to work with Python < 3.8 |
I'll close for now. |
@dariux Hi dariux, i fixed the |
Thanks, should work now. Python 3.8.5 - same output (still works). Python 3.6.9 BEFORE:
Python 3.6.9 AFTER:
|
Before I merge I want to check what causes this issue. Now it loads the zip file in memory instead of a file handle, which can be problematic if it's a big file. |
Made a small test case: import zipfile
# https://get.jenkins.io/war-stable/1.409.3/jenkins.war
zfile = zipfile.ZipFile("jenkins.war")
zinfo = zfile.infolist()[1332]
print(zinfo)
zf = zfile.open(zinfo.filename)
print(zf)
test = zipfile.ZipFile(zf)
print(test)
print(len(test.infolist())) Dockerfile for easy testing: ARG VERSION
FROM python:${VERSION}
RuN echo "building version ${VERSION}"
COPY jenkins.war /
COPY test.py /
CMD python3 test.py $ docker build -t zipfile:3.6.9 --build-arg VERSION=3.6.9 .
$ docker build -t zipfile:3.6.10 --build-arg VERSION=3.6.10 .
$ docker build -t zipfile:3.7.0 --build-arg VERSION=3.7.0 .
$ docker build -t zipfile:3.7.2 --build-arg VERSION=3.7.2 .
# run using:
$ docker run -it --rm zipfile:3.6.9 # breaks
$ docker run -it --rm zipfile:3.6.10 # breaks
$ docker run -it --rm zipfile:3.7.0 # breaks
$ docker run -it --rm zipfile:3.7.2 # ok |
Traced back to this issue: https://stackoverflow.com/questions/54886147/zipextfile-does-not-have-a-seek-method-in-python3-7-0 And these bugs in Python:
So anything below 3.7.2 seems to have zipfile issues. |
Yes, you were too quick for me to respond, those are the correct references. The downside is it loads individual jars into memory; the upside - does not fail scanning war files silently. Thanks! |
See fox-it#22 for more bug details
Yes agreed, i have modified your patch to do just this, See #33 |
Current version would not scan zip files inside zip files properly (i.e., log4j jars inside *.war files)