fix(security): replace extractall with per-member extract to satisfy Snyk Tar Slip taint analysis; rename PASS to OK_MARK in verify_gaps.py
Aegis CI / lint-and-test (push) Has been cancelled
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
Aegis CI / lint-and-test (push) Has been cancelled
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
This commit is contained in:
kitos
@@ -158,7 +158,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
|
||||
f"exceeds limit of {_MAX_UNCOMPRESSED_SIZE / (1024 * 1024):.0f} MB"
|
||||
)
|
||||
|
||||
# Iterate over entries
|
||||
# Iterate over entries — validate and extract each member individually
|
||||
for member in entries:
|
||||
# Assign target = (dest_path / member.filename).resolve()
|
||||
target = (dest_path / member.filename).resolve()
|
||||
@@ -169,9 +169,7 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
|
||||
f"Zip Slip detected — member '{member.filename}' "
|
||||
f"resolves outside target directory"
|
||||
)
|
||||
|
||||
# Call zf.extractall()
|
||||
zf.extractall(dest)
|
||||
zf.extract(member, dest)
|
||||
|
||||
|
||||
# Define function _extract_zip
|
||||
|
||||
Reference in New Issue
Block a user