OpenMetadata icon indicating copy to clipboard operation
OpenMetadata copied to clipboard
verified publisher icon open-metadata

Potential fix for code scanning alert no. 1745: Arbitrary file access during archive extraction ("Zip Slip")

Open harshach opened this issue 3 weeks ago • 1 comments

Potential fix for https://github.com/open-metadata/OpenMetadata/security/code-scanning/1745

General Fix Approach:
The best way to address this vulnerability is to validate that archive entry names do not enable traversal outside the intended root directory. Before using the archive entry name (fileName) in a filesystem operation or resource lookup, normalize the path and check that it is strictly inside a safe base directory.

Detailed Fix:
Since archive entries from jars can contain relative paths, sanitize these before returning from getResourcesFromJarFile. Specifically:

  • For each entry name, convert it to a Path, normalize the path, and check that it does not contain unsafe path segments like .. or absolute path markers.
  • Only include valid, safe paths in the result.

Which files/lines to edit:

  • Edit the method getResourcesFromJarFile in common/src/main/java/org/openmetadata/common/utils/CommonUtil.java, lines around 88–104.
  • Sanitize the archive entry names before returning.
  • If any utility method for safe path checking is needed (e.g., isSafeZipEntryName), add it inside the same file.

Needed imports/methods:

  • If not present, import java.nio.file.Paths and java.nio.file.Path.
  • May need to add a private static method for path validation.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by Gitar

  • Security enhancement:
    • Added isSafeZipEntryName validation method in CommonUtil.java to prevent Zip Slip path traversal attacks
  • Path validation:
    • Validates ZIP entry names using Path.normalize() to block absolute paths, .. segments, and empty path components
  • Integration:
    • Modified getResourcesFromJarFile to check entry safety before pattern matching with warning logs for unsafe entries

This will update automatically on new commits.

harshach avatar Dec 10 '25 03:12 harshach

Auto-apply is off - Gitar will not commit updates to this branch. Enable by commenting gitar auto-apply:on. Was this helpful? React with 👍 / 👎 | This comment will update automatically (Docs)

gitar-bot[bot] avatar Dec 10 '25 22:12 gitar-bot[bot]