Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go Module github.com/mholt/archiver/v3 Flagged with High Security Vulnerability #424

Closed
stevesim101 opened this issue Sep 1, 2021 · 4 comments · Fixed by #433
Closed

Go Module github.com/mholt/archiver/v3 Flagged with High Security Vulnerability #424

stevesim101 opened this issue Sep 1, 2021 · 4 comments · Fixed by #433
Assignees
@yahavi
Labels
bug Something isn't working

Comments

@stevesim101
Copy link

Describe the bug
When trying to use the JFrog Go client, my company's enterprise SCA platform is flagging github.com/mholt/archiver/v3 with a high security vulnerability.

https://securitylab.github.com/advisories/GHSL-2020-252-zipslip-archiver

I was wondering if you could share your short-term or long-term plans to address this. Even if there is no immediate fix, I just need some insight on the current and future state of this to provide a bit of context to my company's compliance teams.

To Reproduce
N/A

Expected behavior
N/A

Screenshots
N/A

Versions

  • JFrog Go client version: v1.4.0
  • JFrog Go client operating system:
  • Artifactory version:

Additional context
Add any other context about the problem here.
@stevesim101 stevesim101 added the bug Something isn't working label Sep 1, 2021
@yahavi
Copy link
Member

yahavi commented Sep 13, 2021

@stevesim101
Thanks for reporting this issue.
It looks like the Archiver maintainer won't going to fix this issue. see "Security note" under https://github.com/mholt/archiver#library-use. However, we do have plans to replace Unarchive with Walk as advised by the maintainer. Using Walk, we should be able to sanitized and extract the archive entries safely.

We'll let you know once this issue is fixed.

@yahavi yahavi mentioned this issue Sep 24, 2021
Merged
3 tasks
@stevesim101
Copy link
Author

Thank you @yahavi for the update!

@yahavi yahavi linked a pull request Oct 15, 2021 that will close this issue
Inspect archive before extraction #433
Merged
3 tasks
@yahavi yahavi self-assigned this Oct 15, 2021
@yahavi
Copy link
Member

yahavi commented Oct 15, 2021

@stevesim101,
We merged #433 to the dev branch.
From the next version, archives will be sanitized before extraction.
We'll keep you updated.

@yahavi yahavi closed this as completed Oct 15, 2021
@yahavi yahavi pinned this issue Oct 15, 2021
@stevesim101
Copy link
Author

Thanks @yahavi!

@gailazar300 gailazar300 unpinned this issue Mar 27, 2022
@yahavi yahavi pinned this issue Apr 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yahavi yahavi

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Inspect archive before extraction yahavi/jfrog-client-go
2 participants
@yahavi @stevesim101