fix CWE-23: prevent zipslip/directory traversal attacks #9159
Conversation
Add filter='data' parameter to all tar.extractall() calls to prevent directory traversal (zipslip) vulnerabilities. This change ensures that tar extraction operations reject any archive members that attempt to write outside the intended extraction directory. Affected modules: - amg: restore operations from Grafana archive files - aosm: helm package extraction for AOSM definitions - confcom: container image tar file processing and manifest extraction - connectedk8s: Arc Connectivity proxy binary extraction - containerapp: Java buildpack source code extraction - networkcloud: custom action result blob extraction - ssh: SSH proxy binary extraction from MCR packages The filter='data' parameter is available in Python 3.11.4+ and provides built-in protection against malicious tar archives containing entries with absolute paths or relative paths that traverse outside the extraction directory. References: - https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall - https://cwe.mitre.org/data/definitions/23.html
|
Validation for Breaking Change Starting...
Thanks for your contribution! |
|
Hi @locus-x64, |
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
There was a problem hiding this comment.
Pull Request Overview
This PR adds the filter='data' parameter to all tar.extractall() calls across multiple Azure CLI extensions to prevent CWE-23 directory traversal (zipslip) vulnerabilities. This security enhancement ensures that tar extraction operations reject malicious archive members that attempt to write outside the intended extraction directory.
- Adds built-in protection against zipslip attacks using Python's data filter
- Applies the fix consistently across 8 different Azure CLI extensions
- Maintains existing functionality while enhancing security posture
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/ssh/azext_ssh/connectivity_utils.py | Added filter parameter to SSH proxy binary extraction |
| src/networkcloud/azext_networkcloud/operations/custom_properties.py | Added filter parameter to custom action result blob extraction |
| src/containerapp/azext_containerapp/tests/latest/test_containerapp_create_update_up_java.py | Added filter parameter to Java buildpack source code extraction |
| src/connectedk8s/azext_connectedk8s/clientproxyhelper/_binaryutils.py | Added filter parameter to Arc Connectivity proxy binary extraction |
| src/confcom/azext_confcom/tests/latest/test_confcom_tar.py | Added filter parameter to container image tar file processing |
| src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py | Added filter parameter to container image tar file processing |
| src/confcom/azext_confcom/os_util.py | Added filter parameter to tar.extract calls for manifest extraction |
| src/aosm/azext_aosm/common/utils.py | Added filter parameter to helm package extraction |
| src/amg/azext_amg/restore.py | Added filter parameter to Grafana archive file extraction |
microsoft-github-policy-service
bot
requested review from
Greedygre,
JennyLawrance,
chinadragon0515,
ebencarek,
jijohn14,
jsntcy,
pagariyaalok,
ruslany,
sanchitmehta,
torosent,
vinisoto,
vturecek,
wangzelin007,
yanzhudd,
yonzhan and
zhoxing-ms
microsoft-github-policy-service
bot
added
the
customer-reported
|
Thank you for your contribution @locus-x64! We will review the pull request and get back to you soon. |
CodeGen Tools Feedback CollectionThank you for using our CodeGen tool. We value your feedback, and we would like to know how we can improve our product. Please take a few minutes to fill our codegen survey |
microsoft-github-policy-service
bot
added
extension/grafana
|
@microsoft-github-policy-service agree company="Ebryx" |
|
…y fix Update version numbers and HISTORY entries for extensions affected by the zipslip security fix in commit 5de16cc: - amg: 2.8.1 → 2.8.2 - aosm: 2.0.0b2 → 2.0.0b3 - confcom: 1.2.7 → 1.2.8 - connectedk8s: 1.10.8 → 1.10.9 - networkcloud: 3.0.0 → 3.0.1 - ssh: 2.0.6 → 2.1.0 Each extension's HISTORY file now documents the security fix that prevents zipslip/directory traversal attacks during tar archive extraction operations. Resolves maintainer feedback for release preparation.
3 participants
Add filter='data' parameter to all tar.extractall() calls to prevent directory traversal (zipslip) vulnerabilities. This change ensures that tar extraction operations reject any archive members that attempt to write outside the intended extraction directory.
Affected modules:
The filter='data' parameter is available in Python 3.11.4+ and provides built-in protection against malicious tar archives containing entries with absolute paths or relative paths that traverse outside the extraction directory.
References:
This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
General Guidelines
azdev style <YOUR_EXT>locally? (pip install azdevrequired)python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required)For new extensions:
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update
src/index.jsonautomatically.You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify
src/index.json.