Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(security) Fix tar slip in micropackaging #3559

Merged
merged 7 commits into from
Jan 29, 2024
Merged

Conversation

ankatiyar
Copy link
Contributor

@ankatiyar ankatiyar commented Jan 26, 2024

Description

Fix #3473

While we had already addressed the vulnerability with #2180, this helps snyk not flag it. You can test it by setting up snyk locally and running snyk code test
Also removed extractall from tests and replaced with safe_extract.

Before

Screenshot 2024-01-26 at 12 34 43

After

Screenshot 2024-01-26 at 12 35 20

bandit still flags this so I haven't removed the # no sec B202

Checklist

  • Read the contributing guidelines
  • Signed off each commit with a Developer Certificate of Origin (DCO)
  • Opened this PR as a 'Draft Pull Request' if it is work-in-progress
  • Updated the documentation to reflect the code changes
  • Added a description of this change in the RELEASE.md file
  • Added tests to cover my changes
  • Checked if this change will affect Kedro-Viz, and if so, communicated that with the Viz team

Signed-off-by: Ankita Katiyar <[email protected]>
Signed-off-by: Ankita Katiyar <[email protected]>
Signed-off-by: Ankita Katiyar <[email protected]>
@ankatiyar ankatiyar requested a review from noklam January 26, 2024 12:43
@astrojuanlu
Copy link
Member

bandit still flags this so I haven't removed the # no sec B202

What's the bandit error message exactly?

@ankatiyar
Copy link
Contributor Author

ankatiyar commented Jan 26, 2024

bandit still flags this so I haven't removed the # no sec B202

What's the bandit error message exactly?

@astrojuanlu It flags the same issue, actually, but brings down the severity from high to medium -

>> Issue: [B202:tarfile_unsafe_members] Found tarfile.extractall(members=?) but couldn't identify the type of members. Check if the members were properly validated {'Other': 'safe_members'}).
   Severity: Medium   Confidence: Medium
   CWE: CWE-22 (https://cwe.mitre.org/data/definitions/22.html)
   More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b202_tarfile_unsafe_members.html
   Location: /Users/ankita_katiyar/kedro/kedro/kedro/framework/cli/micropkg.py:400:4
399             safe_members.append(member)
400         tar.extractall(path, members=safe_members)

Signed-off-by: Ankita Katiyar <[email protected]>
Copy link
Member

@merelcht merelcht left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! ⭐ I'd suggest adding it to the release notes as well to make it visible we take security seriously in Kedro.

It's a shame bandit still flags it.. hopefully they fix it soon.

@ankatiyar ankatiyar enabled auto-merge (squash) January 29, 2024 11:17
@ankatiyar ankatiyar merged commit 5c61db2 into main Jan 29, 2024
34 checks passed
@ankatiyar ankatiyar deleted the security-vulnerability branch January 29, 2024 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

(security) Fix Arbitrary File Write via Archive Extraction
4 participants