Skip to content

GeneXus compression module #874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 55 commits into from
Jul 2, 2025
Merged

GeneXus compression module #874

merged 55 commits into from
Jul 2, 2025

Conversation

tomas-sexenian
Copy link
Contributor

No description provided.

@tomas-sexenian tomas-sexenian requested a review from iroqueta June 4, 2024 20:24
@genexusbot
Copy link
Collaborator

Cherry pick to beta failed, 1 conflicted file in commit 594547c
  • pom.xml

@genexusbot
Copy link
Collaborator

Manual cherry pick to beta success

@genexusbot
Copy link
Collaborator

Cherry pick to beta success

@genexusbot
Copy link
Collaborator

Cherry pick to beta success

@genexusbot
Copy link
Collaborator

Cherry pick to beta success

@genexusbot
Copy link
Collaborator

Cherry pick to beta success

@genexusbot
Copy link
Collaborator

Cherry pick to beta success

@genexusbot
Copy link
Collaborator

Cherry pick to beta success

@genexusbot
Copy link
Collaborator

Cherry pick to beta success

@genexusbot
Copy link
Collaborator

Cherry pick to beta success

iroqueta
iroqueta previously approved these changes Mar 19, 2025
View reviewed changes
@genexusbot
Copy link
Collaborator

Cherry pick to beta success

@genexusbot
Copy link
Collaborator

Cherry pick to beta success

@genexusbot
Copy link
Collaborator

Cherry pick to beta success

sgrampone
sgrampone previously approved these changes Apr 8, 2025
View reviewed changes
Copy link
Contributor

@sgrampone sgrampone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the concerns that were raised have now been addressed and resolved

@genexusbot
Copy link
Collaborator

Cherry pick to beta success

@genexusbot
Copy link
Collaborator

Cherry pick to beta success

@tomas-sexenian tomas-sexenian requested a review from iroqueta May 26, 2025 13:05
@genexusbot
Copy link
Collaborator

Cherry pick to beta success

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 2, 2025
View reviewed changes
gxcompress/src/main/java/com/genexus/compression/GXCompressor.java
try (ZipInputStream zis = new ZipInputStream(Files.newInputStream(archive.toPath()))) {
ZipEntry zipEntry;
while ((zipEntry = zis.getNextEntry()) != null) {
File newFile = new File(directory, zipEntry.getName());

Check failure

Code scanning / CodeQL

Arbitrary file access during archive extraction ("Zip Slip") High

Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.

Copilot Autofix

AI 3 months ago

To fix the issue, we need to validate the zipEntry.getName() to ensure it does not contain directory traversal sequences or attempt to write files outside the intended extraction directory. This can be achieved by:

  1. Normalizing the path of the extracted file using File.getCanonicalPath() to resolve any .. or symbolic links.
  2. Verifying that the normalized path starts with the canonical path of the intended extraction directory.
  3. Throwing an exception if the validation fails.

The fix will involve:

  • Normalizing the newFile path and the target directory path.
  • Checking that the normalized newFile path starts with the normalized target directory path.
  • Rejecting any zip entries that fail this validation.
Suggested changeset 1
gxcompress/src/main/java/com/genexus/compression/GXCompressor.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java b/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java
--- a/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java
+++ b/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java
@@ -590,2 +590,8 @@
 				File newFile = new File(directory, zipEntry.getName());
+				// Validate the new file path to prevent directory traversal
+				String canonicalDirPath = new File(directory).getCanonicalPath();
+				String canonicalFilePath = newFile.getCanonicalPath();
+				if (!canonicalFilePath.startsWith(canonicalDirPath + File.separator)) {
+					throw new IOException("Entry is outside of the target dir: " + zipEntry.getName());
+				}
 				if (zipEntry.isDirectory()) {
EOF
@@ -590,2 +590,8 @@
File newFile = new File(directory, zipEntry.getName());
// Validate the new file path to prevent directory traversal
String canonicalDirPath = new File(directory).getCanonicalPath();
String canonicalFilePath = newFile.getCanonicalPath();
if (!canonicalFilePath.startsWith(canonicalDirPath + File.separator)) {
throw new IOException("Entry is outside of the target dir: " + zipEntry.getName());
}
if (zipEntry.isDirectory()) {
Copilot is powered by AI and may make mistakes. Always verify output.
gxcompress/src/main/java/com/genexus/compression/GXCompressor.java
try (SevenZFile sevenZFile = new SevenZFile(archive)) {
SevenZArchiveEntry entry;
while ((entry = sevenZFile.getNextEntry()) != null) {
File newFile = new File(directory, entry.getName());

Check failure

Code scanning / CodeQL

Arbitrary file access during archive extraction ("Zip Slip") High

Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
gxcompress/src/main/java/com/genexus/compression/GXCompressor.java
try (TarArchiveInputStream tis = new TarArchiveInputStream(Files.newInputStream(archive.toPath()))) {
TarArchiveEntry entry;
while ((entry = tis.getNextEntry()) != null) {
File newFile = new File(directory, entry.getName());

Check failure

Code scanning / CodeQL

Arbitrary file access during archive extraction ("Zip Slip") High

Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.
Unsanitized archive entry, which may contain '..', is used in a
file system operation
Loading
.

Copilot Autofix

AI 3 months ago

To fix the issue, we need to validate the paths derived from entry.getName() to ensure they remain within the intended extraction directory. This can be achieved by normalizing the constructed file path and verifying that it starts with the canonical path of the destination directory. If the validation fails, the code should throw an exception to prevent unsafe file operations.

Steps to implement the fix:

  1. Normalize the constructed file path using File.getCanonicalFile() or Path.normalize().
  2. Compare the normalized path with the canonical path of the destination directory using Path.startsWith() to ensure it is within the intended directory.
  3. Throw an exception if the validation fails.
Suggested changeset 1
gxcompress/src/main/java/com/genexus/compression/GXCompressor.java

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java b/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java
--- a/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java
+++ b/gxcompress/src/main/java/com/genexus/compression/GXCompressor.java
@@ -641,3 +641,7 @@
 			while ((entry = tis.getNextEntry()) != null) {
-				File newFile = new File(directory, entry.getName());
+				File newFile = new File(directory, entry.getName()).getCanonicalFile();
+				File canonicalDir = new File(directory).getCanonicalFile();
+				if (!newFile.toPath().normalize().startsWith(canonicalDir.toPath())) {
+					throw new IOException("Entry is outside the target directory: " + entry.getName());
+				}
 				if (entry.isDirectory()) {
EOF
@@ -641,3 +641,7 @@
while ((entry = tis.getNextEntry()) != null) {
File newFile = new File(directory, entry.getName());
File newFile = new File(directory, entry.getName()).getCanonicalFile();
File canonicalDir = new File(directory).getCanonicalFile();
if (!newFile.toPath().normalize().startsWith(canonicalDir.toPath())) {
throw new IOException("Entry is outside the target directory: " + entry.getName());
}
if (entry.isDirectory()) {
Copilot is powered by AI and may make mistakes. Always verify output.
@tomas-sexenian tomas-sexenian merged commit 1b37ff7 into master Jul 2, 2025
9 of 10 checks passed
@tomas-sexenian tomas-sexenian deleted the Compress branch July 2, 2025 19:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iroqueta iroqueta iroqueta approved these changes

@sgrampone sgrampone sgrampone left review comments

Assignees
No one assigned
Labels
bot closed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@tomas-sexenian @genexusbot @sgrampone @iroqueta @cinthamo @anaiberta