Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport 2.x] Replaces ZipInputStream with ZipFile to fix Zip Slip vulnerability (#7230) #7366

Merged
merged 1 commit into from
May 3, 2023
Merged

[Backport 2.x] Replaces ZipInputStream with ZipFile to fix Zip Slip vulnerability (#7230) #7366

merged 1 commit into from
May 3, 2023

Conversation

DarshitChanpura
Copy link
Member

Description

Backports #7230 to 2.x

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff
  • Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@DarshitChanpura
Replaces ZipInputStream with ZipFile to fix Zip Slip vulnerability (o…
4f1dc6f 
…pensearch-project#7230)

* Replaces ZipInputStream with ZipFile to fix ZipSlip vulnerability

More details about the vulenrability can be found on https://github.com/snyk/zip-slip-vulnerability

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Adds a CHANGELOG entry

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Changes the base package for ZipFile to avoid forbiddenApisError

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Updates SHAs

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Adds LICENSE and NOTICE files for commons-compress package

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Updates thirdParty ignoreMissingClasses list

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Closes input stream

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Fixes NoSuchFileException when reading files

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Fixes spotless errors

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Fixes CHANGELOG.md

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

* Addresses PR comments

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>

---------

Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
(cherry picked from commit 8422768)
@github-actions
Copy link
Contributor

github-actions bot commented May 2, 2023

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      2 org.opensearch.search.SearchWeightedRoutingIT.testStrictWeightedRoutingWithCustomString
      1 org.opensearch.backwards.MixedClusterClientYamlTestSuiteIT.test {p0=pit/10_basic/Delete all}

@codecov-commenter
Copy link

Codecov Report

Merging #7366 (4f1dc6f) into 2.x (0bb44f0) will increase coverage by 0.17%.
The diff coverage is 100.00%.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@             Coverage Diff              @@
##                2.x    #7366      +/-   ##
============================================
+ Coverage     70.23%   70.41%   +0.17%     
- Complexity    59691    59768      +77     
============================================
  Files          4850     4850              
  Lines        287212   287212              
  Branches      41728    41727       -1     
============================================
+ Hits         201737   202235     +498     
+ Misses        68564    68075     -489     
+ Partials      16911    16902       -9
Impacted Files Coverage Δ
...a/org/opensearch/plugins/InstallPluginCommand.java 85.14% <100.00%> (ø)

... and 498 files with indirect coverage changes

@DarshitChanpura DarshitChanpura marked this pull request as ready for review May 2, 2023 20:34
@dblock dblock merged commit d88c4a6 into opensearch-project:2.x May 3, 2023
27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dblock dblock dblock approved these changes

@reta reta Awaiting requested review from reta reta is a code owner

@anasalkouz anasalkouz Awaiting requested review from anasalkouz anasalkouz is a code owner

@andrross andrross Awaiting requested review from andrross andrross is a code owner

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar Bukhtawar is a code owner

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE CEHENKLE is a code owner

@gbbafna gbbafna Awaiting requested review from gbbafna gbbafna is a code owner

@setiah setiah Awaiting requested review from setiah

@kartg kartg Awaiting requested review from kartg

@kotwanikunal kotwanikunal Awaiting requested review from kotwanikunal kotwanikunal is a code owner

@mch2 mch2 Awaiting requested review from mch2 mch2 is a code owner

@nknize nknize Awaiting requested review from nknize nknize is a code owner

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19 owaiskazi19 is a code owner

@Rishikesh1159 Rishikesh1159 Awaiting requested review from Rishikesh1159 Rishikesh1159 is a code owner

@ryanbogan ryanbogan Awaiting requested review from ryanbogan

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli is a code owner

@shwetathareja shwetathareja Awaiting requested review from shwetathareja shwetathareja is a code owner

@dreamer-89 dreamer-89 Awaiting requested review from dreamer-89 dreamer-89 is a code owner

@tlfeng tlfeng Awaiting requested review from tlfeng tlfeng is a code owner

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@DarshitChanpura @codecov-commenter @dblock