Replaces ZipInputStream with ZipFile to fix Zip Slip vulnerability #7230
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
dblock
reviewed
Apr 19, 2023
| @@ -749,12 +752,11 @@ private Path unzip(Path zip, Path pluginsDir) throws IOException, UserException | |||
| if (entry.isDirectory() == false) { | |||
| try (OutputStream out = Files.newOutputStream(targetFile)) { | |||
| int len; | |||
| while ((len = zipInput.read(buffer)) >= 0) { | |||
| while ((len = zipFile.getInputStream(entry).read(buffer)) >= 0) { | |||
There was a problem hiding this comment.
I think this reopens the stream every time we loop (or relies on the fact that zipFile.getInputStream memoizes a stream), let's do it once?
dblock
requested changes
Apr 19, 2023
CHANGELOG.md
Outdated
| @@ -79,6 +79,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), | |||
| - Fix compression support for h2c protocol ([#4944](https://github.com/opensearch-project/OpenSearch/pull/4944)) | |||
| - Support OpenSSL Provider with default Netty allocator ([#5460](https://github.com/opensearch-project/OpenSearch/pull/5460)) | |||
| - Avoid negative memory result in IndicesQueryCache stats calculation ([#6917](https://github.com/opensearch-project/OpenSearch/pull/6917)) | |||
| - Replaces ZipInputStream with ZipFile to fix ZipSlip vulnerability ([#7230](https://github.com/opensearch-project/OpenSearch/pull/7230)) | |||
There was a problem hiding this comment.
replace "fix ZipSlip..." by "fix CVE-..."
There was a problem hiding this comment.
I don't know of a specific CVE for this vulnerability. But I do see a group of different vulnerabilities related to zip slip exploit. Refer here for more details:
There was a problem hiding this comment.
Ok, I don't see a CVE in the list on https://github.com/snyk/zip-slip-vulnerability either.
I think the correct spelling is with a space though, isn't it? "Zip Slip".
More details about the vulenrability can be found on https://github.com/snyk/zip-slip-vulnerability Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
DarshitChanpura
force-pushed
the
zipstreams-bug-fix
branch
from
89c0a8a
to
a25aa5d
Compare
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
|
Need to re-run Gradle Precommit. The failure seems to be flaky on the Github runner's end. |
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
dblock
reviewed
Apr 21, 2023
| @@ -748,13 +751,13 @@ private Path unzip(Path zip, Path pluginsDir) throws IOException, UserException | |||
| } | |||
| if (entry.isDirectory() == false) { | |||
| try (OutputStream out = Files.newOutputStream(targetFile)) { | |||
| InputStream input = zipFile.getInputStream(entry); | |||
There was a problem hiding this comment.
Does the input stream not need to be closed, including on error?
There was a problem hiding this comment.
Yes, I will add input.close().
There was a problem hiding this comment.
You will need to close it in a finally block, otherwise it will leak on read error.
There was a problem hiding this comment.
Include it in the try-with-resources:
try (OutputStream out = Files.newOutputStream(targetFile);
InputStream input = zipFile.getInputStream(entry)) {
...
}
dblock
reviewed
Apr 21, 2023
| @@ -78,3 +80,28 @@ thirdPartyAudit.ignoreViolations( | |||
| 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator', | |||
| 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator$2' | |||
| ) | |||
|
|
|||
| thirdPartyAudit.ignoreMissingClasses( | |||
There was a problem hiding this comment.
Without these, the task ':distribution:tools:plugin-cli:thirdPartyAudit' fails. See details here.
There was a problem hiding this comment.
@reta do you know if this is ok?
There was a problem hiding this comment.
@reta do you know if this is ok?
Yeah, I think this is fine, the common-compress may have optional dependencies on ZSTD and other codecs, so we need to exclude these classes (we don't use these codecs here)
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## main #7230 +/- ##
============================================
+ Coverage 70.65% 70.69% +0.03%
+ Complexity 59518 59486 -32
============================================
Files 4859 4859
Lines 285527 285527
Branches 41150 41149 -1
============================================
+ Hits 201749 201861 +112
+ Misses 67216 67051 -165
- Partials 16562 16615 +53
|
DarshitChanpura
requested review from
reta,
anasalkouz and
andrross
as code owners
DarshitChanpura
requested review from
owaiskazi19,
Rishikesh1159,
ryanbogan,
saratvemulapalli,
shwetathareja,
dreamer-89,
tlfeng,
VachaShah and
xuezhou25
as code owners
DarshitChanpura
changed the title
DarshitChanpura
changed the title
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
DarshitChanpura
force-pushed
the
zipstreams-bug-fix
branch
from
f97e548
to
435321e
Compare
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
|
Gradle precommit failure seems to be a memory issue with GIthub runner. Re-run should probably solve it. |
dblock
reviewed
Apr 25, 2023
| @@ -78,3 +80,28 @@ thirdPartyAudit.ignoreViolations( | |||
| 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator', | |||
| 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator$2' | |||
| ) | |||
|
|
|||
| thirdPartyAudit.ignoreMissingClasses( | |||
There was a problem hiding this comment.
@reta do you know if this is ok?
| byte[] buffer = new byte[8192]; | ||
| while ((entry = zipInput.getNextEntry()) != null) { | ||
| while (entries.hasMoreElements()) { | ||
| entry = entries.nextElement(); |
There was a problem hiding this comment.
Does entries.nextElment() return null when there are no more entries? You could collapse the loop in that case without needing to check entries.hasMoreElements() into while (entry = entries.nextElement()) { }.
There was a problem hiding this comment.
entries.nextElement() returns NoSucElementException when no more elements exist.
According to definition:
Throws:
NoSuchElementException – if no more elements exist.
| @@ -748,13 +751,13 @@ private Path unzip(Path zip, Path pluginsDir) throws IOException, UserException | |||
| } | |||
| if (entry.isDirectory() == false) { | |||
| try (OutputStream out = Files.newOutputStream(targetFile)) { | |||
| InputStream input = zipFile.getInputStream(entry); | |||
There was a problem hiding this comment.
You will need to close it in a finally block, otherwise it will leak on read error.
reta
reviewed
Apr 26, 2023
| @@ -748,13 +751,14 @@ private Path unzip(Path zip, Path pluginsDir) throws IOException, UserException | |||
| } | |||
| if (entry.isDirectory() == false) { | |||
| try (OutputStream out = Files.newOutputStream(targetFile)) { | |||
| InputStream input = zipFile.getInputStream(entry); | |||
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Gradle Check (Jenkins) Run Completed with:
|
reta
approved these changes
Apr 27, 2023
dblock
approved these changes
Apr 28, 2023
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-7230-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 84227681555b4aec12725c4454c39834cb6839d2
# Push it to GitHub
git push --set-upstream origin backport/backport-7230-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-2.xThen, create a pull request where the |
|
@DarshitChanpura want to manually backport to 2.x? |
DarshitChanpura
added a commit
to DarshitChanpura/OpenSearch
that referenced
this pull request
May 2, 2023
…pensearch-project#7230) * Replaces ZipInputStream with ZipFile to fix ZipSlip vulnerability More details about the vulenrability can be found on https://github.com/snyk/zip-slip-vulnerability Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adds a CHANGELOG entry Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Changes the base package for ZipFile to avoid forbiddenApisError Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates SHAs Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adds LICENSE and NOTICE files for commons-compress package Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates thirdParty ignoreMissingClasses list Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Closes input stream Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes NoSuchFileException when reading files Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes spotless errors Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes CHANGELOG.md Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Addresses PR comments Signed-off-by: Darshit Chanpura <dchanp@amazon.com> --------- Signed-off-by: Darshit Chanpura <dchanp@amazon.com> (cherry picked from commit 8422768)
Merged
6 tasks
dblock
pushed a commit
that referenced
this pull request
May 3, 2023
…7230) (#7366) * Replaces ZipInputStream with ZipFile to fix ZipSlip vulnerability More details about the vulenrability can be found on https://github.com/snyk/zip-slip-vulnerability Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adds a CHANGELOG entry Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Changes the base package for ZipFile to avoid forbiddenApisError Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates SHAs Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adds LICENSE and NOTICE files for commons-compress package Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates thirdParty ignoreMissingClasses list Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Closes input stream Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes NoSuchFileException when reading files Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes spotless errors Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes CHANGELOG.md Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Addresses PR comments Signed-off-by: Darshit Chanpura <dchanp@amazon.com> --------- Signed-off-by: Darshit Chanpura <dchanp@amazon.com> (cherry picked from commit 8422768)
shiv0408
pushed a commit
to Gaurav614/OpenSearch
that referenced
this pull request
Apr 25, 2024
…pensearch-project#7230) * Replaces ZipInputStream with ZipFile to fix ZipSlip vulnerability More details about the vulenrability can be found on https://github.com/snyk/zip-slip-vulnerability Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adds a CHANGELOG entry Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Changes the base package for ZipFile to avoid forbiddenApisError Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates SHAs Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Adds LICENSE and NOTICE files for commons-compress package Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Updates thirdParty ignoreMissingClasses list Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Closes input stream Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes NoSuchFileException when reading files Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes spotless errors Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Fixes CHANGELOG.md Signed-off-by: Darshit Chanpura <dchanp@amazon.com> * Addresses PR comments Signed-off-by: Darshit Chanpura <dchanp@amazon.com> --------- Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Signed-off-by: Shivansh Arora <hishiv@amazon.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
More details about the vulenrability can be found on https://github.com/snyk/zip-slip-vulnerability
Description
ZipInputStream can cause a potential zipslip vulnerability. This PR aims at fixing the vulnerability by replacing it with ZipFile class.
Issues Resolved
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.