Azure
fix CWE-23: prevent zipslip/directory traversal attacks
Add filter='data' parameter to all tar.extractall() calls to prevent directory traversal (zipslip) vulnerabilities. This change ensures that tar extraction operations reject any archive members that attempt to write outside the intended extraction directory.
Affected modules:
- amg: restore operations from Grafana archive files
- aosm: helm package extraction for AOSM definitions
- confcom: container image tar file processing and manifest extraction
- connectedk8s: Arc Connectivity proxy binary extraction
- containerapp: Java buildpack source code extraction
- networkcloud: custom action result blob extraction
- ssh: SSH proxy binary extraction from MCR packages
The filter='data' parameter is available in Python 3.11.4+ and provides built-in protection against malicious tar archives containing entries with absolute paths or relative paths that traverse outside the extraction directory.
References:
- https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall
- https://cwe.mitre.org/data/definitions/23.html
This checklist is used to make sure that common guidelines for a pull request are followed.
Related command
General Guidelines
- [X] Have you run
azdev style <YOUR_EXT>locally? (pip install azdevrequired) - [X] Have you run
python scripts/ci/test_index.py -qlocally? (pip install wheel==0.30.0required) - [X] My extension version conforms to the Extension version schema
For new extensions:
- [ ] My extension description/summary conforms to the Extension Summary Guidelines.
About Extension Publish
There is a pipeline to automatically build, upload and publish extension wheels.
Once your pull request is merged into main branch, a new pull request will be created to update src/index.json automatically.
You only need to update the version information in file setup.py and historical information in file HISTORY.rst in your PR but do not modify src/index.json.
Validation for Breaking Change Starting...
Thanks for your contribution!
![azure-client-tools-bot-prd[bot] avatar](https://avatars.githubusercontent.com/u/37600188?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @locus-x64, Please write the description of changes which can be perceived by customers into HISTORY.rst. If you want to release a new extension version, please update the version in setup.py as well.
Thank you for your contribution! We will review the pull request and get back to you soon.
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.
Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). After that please run the following commands to enable git hooks:
pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for your contribution @locus-x64! We will review the pull request and get back to you soon.
![microsoft-github-policy-service[bot] avatar](https://avatars.githubusercontent.com/in/95686?v=4 "Published by a pub.dev verified publisher"){kind=small}
CodeGen Tools Feedback Collection
Thank you for using our CodeGen tool. We value your feedback, and we would like to know how we can improve our product. Please take a few minutes to fill our codegen survey