Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tests for the Zip Slip vuln raise alarms by ClamAV antivirus... #384

Closed
MaximeDerche opened this issue Oct 2, 2018 · 2 comments · Fixed by #405
Closed

Tests for the Zip Slip vuln raise alarms by ClamAV antivirus... #384

MaximeDerche opened this issue Oct 2, 2018 · 2 comments · Fixed by #405

Comments

@MaximeDerche
Copy link

MaximeDerche commented Oct 2, 2018

Hello,

Since the 21st Sept. I get the following messages from my daily ClamAV scan:

/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/rubyzip-1.2.2/test/data/path_traversal/tuzovakaoff/symlink.zip: Sanesecurity.Malware.27384.ZipHeur.ZipSlip.UNOFFICIAL FOUND
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/rubyzip-1.2.2/test/data/path_traversal/relative1.zip: Sanesecurity.Malware.27384.ZipHeur.ZipSlip.UNOFFICIAL FOUND
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/rubyzip-1.2.2/test/data/path_traversal/jwilk/relative2.zip: Sanesecurity.Malware.27384.ZipHeur.ZipSlip.UNOFFICIAL FOUND

This is because the Sanesecurity signature base gets those three files as vulnerable to a known risk.

I understand those files come from the commit d07b13a (Merge pull request #376 from jdleesmiller/fix-cve-2018-1000544) for version 1.2.2, which fixes the Zip Slip (CVE-2018-1000544) vulnerability.

Would it be possible to just delete those files?

Kind regards,
-- Maxime DERCHE

@jdleesmiller
Copy link
Member

jdleesmiller commented Mar 3, 2019

Thanks for reporting this, and sorry for the trouble caused by my patch!

One solution would be to exclude the test files from the gem. I'm not sure what the best practice here is. The discussion here suggests that it would be OK to exclude the test files: https://stackoverflow.com/questions/37800233/should-one-include-tests-in-a-packaged-gem

There are some counterpoints here: rubygems/rubygems#735

A possible compromise would be to exclude the path traversal test files from the gem and adjust the test suite to skip those tests if they are missing.

I'm certainly open to other suggestions.

@GElkayam
Copy link

GElkayam commented Jun 4, 2019

hi @jdleesmiller,
Joining in on the request to exclude test_files from gemspec. as can be seen on rubygems/rubygems#735 many packages are removing this as it is not needed anymore.
For me specifically due to malware scanning of packages before admitting to network, the file zipWithEncryption.zip causes a silly alert as the 3rd party system can not scan it. Removing the tests (which are not needed anymore) will solve the issue, and lighten the gem.

This was referenced Mar 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants