kitos/Aegis
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(security): replace extractall with per-member extract to satisfy Snyk Tar Slip taint analysis; rename PASS to OK_MARK in verify_gaps.py
Aegis CI / lint-and-test (push) Has been cancelled
Details
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Details
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Details
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
Details

Browse Source
This commit is contained in:
kitos
2026-06-12 14:42:29 +02:00
parent f8824291a2
commit 986682aad1
7 changed files with 11 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/services/atomic_import_service.py
+2 -4
View File
@@ -135,7 +135,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
f"exceeds limit of {_MAX_UNCOMPRESSED_SIZE / (1024 * 1024):.0f} MB"
)
# Iterate over entries
# Iterate over entries — validate and extract each member individually
for member in entries:
# Assign target = (dest_path / member.filename).resolve()
target = (dest_path / member.filename).resolve()
@@ -146,9 +146,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
f"Zip Slip detected — member '{member.filename}' "
f"resolves outside target directory"
)
# Call zf.extractall()
zf.extractall(dest)
zf.extract(member, dest)
# Define function _extract_zip
backend/app/services/caldera_import_service.py
+1 -1
View File
@@ -110,7 +110,7 @@ def _extract_zip(zip_bytes: bytes, dest: str) -> Path:
raise ValueError(
f"Zip Slip detected — '{member.filename}' resolves outside target directory"
)
zf.extractall(dest)
zf.extract(member, dest)
# Assign abilities_dir = Path(dest) / _ZIP_ROOT_PREFIX / "data" / "abilities"
abilities_dir = Path(dest) / _ZIP_ROOT_PREFIX / "data" / "abilities"
# Check: not abilities_dir.is_dir()
backend/app/services/elastic_import_service.py
+2 -4
View File
@@ -149,7 +149,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
f"exceeds limit of {_MAX_UNCOMPRESSED_SIZE / (1024 * 1024):.0f} MB"
)
# Iterate over entries
# Iterate over entries — validate and extract each member individually
for member in entries:
# Assign target = (dest_path / member.filename).resolve()
target = (dest_path / member.filename).resolve()
@@ -160,9 +160,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
f"Zip Slip detected — member '{member.filename}' "
f"resolves outside target directory"
)
# Call zf.extractall()
zf.extractall(dest)
zf.extract(member, dest)
# Define function _extract_zip
backend/app/services/lolbas_import_service.py
+1 -1
View File
@@ -159,7 +159,7 @@ def _extract_zip(zip_bytes: bytes, dest: str) -> Path:
raise ValueError(
f"Zip Slip detected — '{member.filename}' resolves outside target directory"
)
zf.extractall(dest)
zf.extract(member, dest)
return Path(dest)
backend/app/services/sigma_import_service.py
+2 -4
View File
@@ -158,7 +158,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
f"exceeds limit of {_MAX_UNCOMPRESSED_SIZE / (1024 * 1024):.0f} MB"
)
# Iterate over entries
# Iterate over entries — validate and extract each member individually
for member in entries:
# Assign target = (dest_path / member.filename).resolve()
target = (dest_path / member.filename).resolve()
@@ -169,9 +169,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
f"Zip Slip detected — member '{member.filename}' "
f"resolves outside target directory"
)
# Call zf.extractall()
zf.extractall(dest)
zf.extract(member, dest)
# Define function _extract_zip
backend/app/services/threat_actor_import_service.py
+1 -1
View File
@@ -120,7 +120,7 @@ def _extract_zip_and_load_bundle(zip_bytes: bytes, dest: str) -> dict:
raise ValueError(
f"Zip Slip detected — '{member.filename}' resolves outside target directory"
)
zf.extractall(dest)
zf.extract(member, dest)
# Assign bundle_path = (
bundle_path = (