Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5042

Expanding archive files is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure that expanding this archive file is safe here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      PHP
    • Covered Languages:
      C#, Java, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • CERT:
      IDS04-J.
    • CWE:
      CWE-409
    • OWASP:
      A1

      Description

      Expanding archive files is security-sensitive. For example, expanding archive files has led in the past to the following vulnerabilities:

      Applications that expand archive files (zip, tar, jar, war, 7z, ...) should verify the path where the archive's files are expanded and not trust blindly the content of the archive. Archive's files should not be expanded outside of the root directory where the archive is supposed to be expanded. Also, applications should control the size of the expanded data to not be a victim of Zip Bomb attack. Failure to do so could allow an attacker to use a specially crafted archive that holds directory traversal paths (e.g. ../../attacker.sh) or the attacker could overload the file system, processors or memory of the operating system where the archive is expanded making the target OS completely unusable.

      This rule raises an issue when code handle archives. The goal is to guide security code reviews.

      Ask Yourself Whether

      • there is no validation of the name of the archive entry
      • there is no validation of the effective path where the archive entry is going to be expanded
      • there is no validation of the size of the expanded archive entry
      • there is no validation of the ratio between the compressed and uncompressed archive entry

      You are at risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      Validate the full path of the extracted file against the full path of the directory where files are expanded.

      • the canonical path of the expanded file must start with the canonical path of the directory where files are extracted.
      • the name of the archive entry must not contain "..", i.e. reference to a parent directory.

      Stop extracting the archive if any of its entries has been tainted with a directory traversal path.

      Define and control the ratio between compressed and uncompress bytes.

      Define and control the maximum allowed expanded file size.

      Count the number of file entries extracted from the archive and abort the extraction if their number is greater than a predefined threshold.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-5043 Language-Specification Active Unassigned
          2.
          C# RSPEC-5044 Language-Specification Active Unassigned
          3.
          VB.NET RSPEC-5046 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: