From 38df0939bb59c94e671199a4bafc195067e1abf7 Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Fri, 15 Mar 2024 14:45:19 +0100 Subject: [PATCH 1/8] Restrict zip decompression --- commands/ci/artifact/artifact.go | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/commands/ci/artifact/artifact.go b/commands/ci/artifact/artifact.go index 964a3d0f9..133fe8bba 100644 --- a/commands/ci/artifact/artifact.go +++ b/commands/ci/artifact/artifact.go @@ -28,6 +28,10 @@ func ensurePathIsCreated(filename string) error { return nil } +// Read limit is 4GB +const zipReadLimit = 4 * 1024 * 1024 * 1024 +const zipFileLimit = 100000 + func sanitizeAssetName(asset string) string { if !strings.HasPrefix(asset, "/") { // Prefix the asset with "/" ensures that filepath.Clean removes all `/..` @@ -49,6 +53,7 @@ func NewCmdRun(f *cmdutils.Factory) *cobra.Command { Long: ``, Args: cobra.ExactArgs(2), RunE: func(cmd *cobra.Command, args []string) error { + repo, err := f.BaseRepo() if err != nil { return err @@ -82,6 +87,12 @@ func NewCmdRun(f *cmdutils.Factory) *cobra.Command { path = path + "/" } + var written int64 = 0 + + if len(zipReader.File) > zipFileLimit { + return fmt.Errorf("zip archive includes too many files: limit is %d files", zipFileLimit) + } + for _, v := range zipReader.File { sanitizedAssetName := sanitizeAssetName(v.Name) @@ -105,6 +116,8 @@ func NewCmdRun(f *cmdutils.Factory) *cobra.Command { } defer srcFile.Close() + limitedReader := io.LimitReader(srcFile, zipReadLimit) + err = ensurePathIsCreated(destPath) if err != nil { return err @@ -120,9 +133,15 @@ func NewCmdRun(f *cmdutils.Factory) *cobra.Command { if err != nil { return err } - if _, err := io.Copy(dstFile, srcFile); err != nil { + var writtenPerFile int64 = 0 + if writtenPerFile, err = io.Copy(dstFile, limitedReader); err != nil { return err } + + written += writtenPerFile + if written >= zipReadLimit { + return fmt.Errorf("Extracted zip too large: limit is %d bytes", zipReadLimit) + } } } return nil -- GitLab From a92b08f45b57bc7187e2b942d114c9a46a012ce8 Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Fri, 15 Mar 2024 15:34:57 +0100 Subject: [PATCH 2/8] fix formatting --- commands/ci/artifact/artifact.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/commands/ci/artifact/artifact.go b/commands/ci/artifact/artifact.go index 133fe8bba..a0ad07278 100644 --- a/commands/ci/artifact/artifact.go +++ b/commands/ci/artifact/artifact.go @@ -29,8 +29,10 @@ func ensurePathIsCreated(filename string) error { } // Read limit is 4GB -const zipReadLimit = 4 * 1024 * 1024 * 1024 -const zipFileLimit = 100000 +const ( + zipReadLimit = 4 * 1024 * 1024 * 1024 + zipFileLimit = 100000 +) func sanitizeAssetName(asset string) string { if !strings.HasPrefix(asset, "/") { @@ -53,7 +55,6 @@ func NewCmdRun(f *cmdutils.Factory) *cobra.Command { Long: ``, Args: cobra.ExactArgs(2), RunE: func(cmd *cobra.Command, args []string) error { - repo, err := f.BaseRepo() if err != nil { return err @@ -133,7 +134,7 @@ func NewCmdRun(f *cmdutils.Factory) *cobra.Command { if err != nil { return err } - var writtenPerFile int64 = 0 + var writtenPerFile int64 if writtenPerFile, err = io.Copy(dstFile, limitedReader); err != nil { return err } -- GitLab From 39f9230895ac655fce215dd2b440fc173dc9bffa Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Fri, 15 Mar 2024 15:46:55 +0100 Subject: [PATCH 3/8] Restrict zip decompression -- GitLab From 1af1acff819609c4f73806fc4ac3566b55bd9c0c Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Fri, 15 Mar 2024 15:55:20 +0100 Subject: [PATCH 4/8] fix: estrict zip decompression -- GitLab From d7931338c727c81061740104899844a3ce2a9f77 Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Fri, 15 Mar 2024 15:56:33 +0100 Subject: [PATCH 5/8] fix: restrict zip decompression -- GitLab From 81e0bf5954264013d69414b65c12813bd8e1b73c Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Fri, 15 Mar 2024 16:31:35 +0100 Subject: [PATCH 6/8] int format --- commands/ci/artifact/artifact.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/commands/ci/artifact/artifact.go b/commands/ci/artifact/artifact.go index 133fe8bba..6bc9c1331 100644 --- a/commands/ci/artifact/artifact.go +++ b/commands/ci/artifact/artifact.go @@ -140,7 +140,7 @@ func NewCmdRun(f *cmdutils.Factory) *cobra.Command { written += writtenPerFile if written >= zipReadLimit { - return fmt.Errorf("Extracted zip too large: limit is %d bytes", zipReadLimit) + return fmt.Errorf("Extracted zip too large: limit is %d bytes", int(zipReadLimit)) } } } -- GitLab From 477e820176e88ed4c68929176aae7ec95b0abc30 Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Fri, 15 Mar 2024 16:54:45 +0100 Subject: [PATCH 7/8] make type excplicit --- commands/ci/artifact/artifact.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/commands/ci/artifact/artifact.go b/commands/ci/artifact/artifact.go index 72c17fc8c..7b141c6aa 100644 --- a/commands/ci/artifact/artifact.go +++ b/commands/ci/artifact/artifact.go @@ -30,8 +30,8 @@ func ensurePathIsCreated(filename string) error { // Read limit is 4GB const ( - zipReadLimit = 4 * 1024 * 1024 * 1024 - zipFileLimit = 100000 + zipReadLimit int64 = 4 * 1024 * 1024 * 1024 + zipFileLimit int = 100000 ) func sanitizeAssetName(asset string) string { @@ -141,7 +141,7 @@ func NewCmdRun(f *cmdutils.Factory) *cobra.Command { written += writtenPerFile if written >= zipReadLimit { - return fmt.Errorf("Extracted zip too large: limit is %d bytes", int(zipReadLimit)) + return fmt.Errorf("Extracted zip too large: limit is %d bytes", zipReadLimit) } } } -- GitLab From fbcfd98947286b0043e4c3c370e174b86cb1a7f2 Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Fri, 15 Mar 2024 17:17:04 +0100 Subject: [PATCH 8/8] make fix --- commands/ci/artifact/artifact.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/commands/ci/artifact/artifact.go b/commands/ci/artifact/artifact.go index 7b141c6aa..e88555251 100644 --- a/commands/ci/artifact/artifact.go +++ b/commands/ci/artifact/artifact.go @@ -31,7 +31,7 @@ func ensurePathIsCreated(filename string) error { // Read limit is 4GB const ( zipReadLimit int64 = 4 * 1024 * 1024 * 1024 - zipFileLimit int = 100000 + zipFileLimit int = 100000 ) func sanitizeAssetName(asset string) string { -- GitLab