Skip to content

fix(summary): arbitrary file access during archive extraction zipslip #39896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 26, 2025
Merged

fix(summary): arbitrary file access during archive extraction zipslip #39896

merged 1 commit into from
Jun 26, 2025

Conversation

opsysdebug
Copy link
Contributor

@opsysdebug opsysdebug commented Jun 4, 2025
edited
Loading

cilium/cilium-cli/features/summary.go

Lines 227 to 253 in 94ac65e

for _, file := range r.File {
destPath := filepath.Join(destDir, file.Name)
if file.FileInfo().IsDir() {
// Create directories
if err := os.MkdirAll(destPath, os.ModePerm); err != nil {
return fmt.Errorf("failed to create directory %s: %w", destPath, err)
}
continue
}
// Extract files
destFile, err := os.OpenFile(destPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
if err != nil {
return fmt.Errorf("failed to create file %s: %w", destPath, err)
}
srcFile, err := file.Open()
if err != nil {
destFile.Close()
return fmt.Errorf("failed to open file in ZIP archive %s: %w", file.Name, err)
}
_, err = io.Copy(destFile, srcFile)
destFile.Close()
srcFile.Close()
if err != nil {
return fmt.Errorf("failed to extract file %s: %w", file.Name, err)
}
}

Fix the issue need to validate the file.Name field from the ZIP archive before using it to construct file paths. Specifically:

  1. Ensure that file.Name does not contain directory traversal elements (..) or absolute paths.
  2. Use filepath.Clean to normalize the path and check that the resulting path is within the intended destDir.

The fix involves:

  • Adding a check to ensure file.Name does not contain .. or result in paths outside destDir.
  • Using filepath.Clean to sanitize the path.
  • Rejecting or skipping files with invalid paths.

Zip Slip Vulnerability

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

Fixes: #issue-number

<!-- Enter the release note text here if needed or remove this section! -->

@opsysdebug opsysdebug requested a review from a team as a code owner June 4, 2025 14:06
@opsysdebug opsysdebug requested a review from asauber June 4, 2025 14:06
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 4, 2025
@github-actions github-actions bot added cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary kind/community-contribution This was a contribution made by a community member. labels Jun 4, 2025
asauber
asauber reviewed Jun 5, 2025
View reviewed changes
Copy link
Member

@asauber asauber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution. I don't see any downside to these additional checks. Thankfully, this unzip codepath is used only within the context of temporary workflow runners.

Will run tests and let's look for everything to pass.

@asauber asauber added the release-note/ci This PR makes changes to the CI. label Jun 5, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 5, 2025
@asauber
Copy link
Member

asauber commented Jun 5, 2025

/test

@joestringer joestringer enabled auto-merge June 25, 2025 15:42
@joestringer joestringer requested review from a team and tklauser and removed request for a team June 25, 2025 15:42
@joestringer
Copy link
Member

We reviewed the list of stuck PRs during the community meeting and this PR came up. It looks like the PR stalled due to test failures; I've retriggered them to hopefully unblock that. Additionally, due to team changes the cilium-cli approval is no longer valid. I've re-requested review from @cilium/cli to help shepherd this PR into the tree. Thanks for your contribution.

@opsysdebug @tklauser
Update summary.go
550878c 
Signed-off-by: Zeroday BYTE <github@zerodaysec.org>
@tklauser
Copy link
Member

/test

@joestringer joestringer added this pull request to the merge queue Jun 26, 2025
Merged via the queue into cilium:main with commit 240441f Jun 26, 2025
68 checks passed
@maintainer-s-little-helper maintainer-s-little-helper bot added ready-to-merge This PR has passed all tests and received consensus from code owners to merge. labels Jun 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asauber asauber asauber left review comments

@tklauser tklauser tklauser approved these changes

Assignees
No one assigned
Labels
cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@opsysdebug @asauber @joestringer @tklauser