-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Go: zip-slip FP / missed a zip-slip guard in argoproj/argo-cd #17573
Comments
I'm afraid while the Go library does make an effort to 'promote' sanitizers or validation checks out of wrapper methods like
We'll take this into account for future improvements to our guard-promotion logic, but can't promise a timescale on that because it's a nontrivial effort. For the time being I'm afraid you'll have to dismiss this as a false alert. |
In the interim, can the qhelp at least be improved to at least draw people's attention to these deficiencies? codeql/go/ql/src/Security/CWE-022/ZipSlip.qhelp Lines 33 to 41 in 590e93d
I understand that improved algorithms take time, but if I can get some documentation improved to save me from similar reports in the interim I would definitely take/appreciate that. |
I note this isn't zipslip-specific -- there are always a lot of ways to sanitize something, and all our queries do their best to identify when you have made an appropriate check, but will sometimes fail to identify the check and so raise an alert regardless. So I will share the feedback, but probably won't make a zipslip-specific note for this. |
codeql/go/ql/src/Security/CWE-022/ZipSlip.ql
Lines 22 to 23 in 590e93d
Here's my fork's report:
https://github.com/check-spelling-sandbox/argo-cd/security/code-scanning/4
Arbitrary file access during archive extraction ("Zip Slip")
Code snippet
util/io/files/tar.go:75
Here's the accused flow:
Arbitrary file access during archive extraction ("Zip Slip")
Step 1 ... := ...[0]
Source
util/io/files/tar.go:75
Step 2 selection of Name
util/io/files/tar.go:86
Note
There is a check for zip-slip right here in the form of Inbound:
Step 3 call to Join
util/io/files/tar.go:86
Step 4 target
Sink
util/io/files/tar.go:98
The text was updated successfully, but these errors were encountered: