Skip to content

Potential fix for code scanning alert no. 1745: Arbitrary file access during archive extraction ("Zip Slip") #24759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
harshach wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Potential fix for code scanning alert no. 1745: Arbitrary file access during archive extraction ("Zip Slip") #24759

harshach wants to merge 2 commits into from

Conversation

@harshach
Copy link
Collaborator

@harshach harshach commented Dec 10, 2025
edited by gitar-bot bot
Loading

Potential fix for https://github.com/open-metadata/OpenMetadata/security/code-scanning/1745

General Fix Approach:
The best way to address this vulnerability is to validate that archive entry names do not enable traversal outside the intended root directory. Before using the archive entry name (fileName) in a filesystem operation or resource lookup, normalize the path and check that it is strictly inside a safe base directory.

Detailed Fix:
Since archive entries from jars can contain relative paths, sanitize these before returning from getResourcesFromJarFile. Specifically:

  • For each entry name, convert it to a Path, normalize the path, and check that it does not contain unsafe path segments like .. or absolute path markers.
  • Only include valid, safe paths in the result.

Which files/lines to edit:

  • Edit the method getResourcesFromJarFile in common/src/main/java/org/openmetadata/common/utils/CommonUtil.java, lines around 88–104.
  • Sanitize the archive entry names before returning.
  • If any utility method for safe path checking is needed (e.g., isSafeZipEntryName), add it inside the same file.

Needed imports/methods:

  • If not present, import java.nio.file.Paths and java.nio.file.Path.
  • May need to add a private static method for path validation.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by Gitar

  • Security enhancement:
    • Added isSafeZipEntryName validation method in CommonUtil.java to prevent Zip Slip path traversal attacks
  • Path validation:
    • Validates ZIP entry names using Path.normalize() to block absolute paths, .. segments, and empty path components
  • Integration:
    • Modified getResourcesFromJarFile to check entry safety before pattern matching with warning logs for unsafe entries

This will update automatically on new commits.

@harshach @github-advanced-security
Potential fix for code scanning alert no. 1745: Arbitrary file access…
eb03908 
… during archive extraction ("Zip Slip")

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@harshach harshach marked this pull request as ready for review December 10, 2025 03:14
@github-actions github-actions bot added backend safe to test Add this label to run secure Github workflows on PRs labels Dec 10, 2025
@gitar-bot
Copy link

gitar-bot bot commented Dec 10, 2025
edited
Loading

Auto-apply is off - Gitar will not commit updates to this branch. Enable by commenting gitar auto-apply:on.
Was this helpful? React with 👍 / 👎 | This comment will update automatically (Docs)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backend safe to test Add this label to run secure Github workflows on PRs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@harshach