fix CWE-23: prevent zipslip/directory traversal attacks

src/amg/HISTORY.rst

@@ -3,6 +3,10 @@
 Release History
 ===============
 
+2.8.2
+++++++
+* Security fix: prevent zipslip/directory traversal attacks during tar archive extraction in restore operations
+
 0.1.0
 ++++++
 * Initial release.

src/amg/azext_amg/restore.py

@@ -38,7 +38,7 @@ def restore(grafana_url, archive_file, components, http_headers, destination_dat
 
     with tarfile.open(name=archive_file, mode='r:gz') as tar:
         with tempfile.TemporaryDirectory() as tmpdir:
-            tar.extractall(tmpdir)
+            tar.extractall(tmpdir, filter='data')
             tar.close()
             _restore_components(grafana_url, restore_functions, tmpdir, components, http_headers,
                                 destination_datasources=destination_datasources)

src/amg/setup.py

@@ -16,7 +16,7 @@
 
 # TODO: Confirm this is the right version number you want and it matches your
 # HISTORY.rst entry.
-VERSION = '2.8.1'
+VERSION = '2.8.2'
 
 # The full list of classifiers is available at
 # https://pypi.python.org/pypi?%3Aaction=list_classifiers

src/aosm/HISTORY.rst

@@ -2,6 +2,10 @@
 
 Release History
 ===============
+2.0.0b3
+++++++++
+* Security fix: prevent zipslip/directory traversal attacks during tar archive extraction in helm package processing
+
 2.0.0b2
 ++++++++
 * Remove msrestazure dependency

src/aosm/azext_aosm/common/utils.py

@@ -101,10 +101,10 @@ def extract_tarfile(file_path: Path, target_dir: Path) -> Path:
 
     if file_extension in (".gz", ".tgz"):
         with tarfile.open(file_path, "r:gz") as tar:
-            tar.extractall(path=target_dir)
+            tar.extractall(path=target_dir, filter='data')
     elif file_extension == ".tar":
         with tarfile.open(file_path, "r:") as tar:
-            tar.extractall(path=target_dir)
+            tar.extractall(path=target_dir, filter='data')
     else:
         raise InvalidFileTypeError(
             f"ERROR: The helm package, '{file_path}', is not"

src/aosm/setup.py

@@ -17,7 +17,7 @@
 
 # Confirm this is the right version number you want and it matches your
 # HISTORY.rst entry.
-VERSION = "2.0.0b2"
+VERSION = "2.0.0b3"
 
 
 # The full list of classifiers is available at

src/confcom/HISTORY.rst

@@ -3,6 +3,10 @@
 Release History
 ===============
 
+1.2.8
+++++++
+* Security fix: prevent zipslip/directory traversal attacks during tar archive extraction in container image and manifest processing
+
 1.2.7
 ++++++
 * bugfix making it so that oras discover function doesn't error when no fragments are found in the remote repository

src/confcom/azext_confcom/os_util.py

@@ -170,7 +170,7 @@ def map_image_from_tar_backwards_compatibility(image_name: str, tar: TarFile, ta
         # extract just the manifest file and see if any of the RepoTags match the image_name we're searching for
         # the manifest.json should have a list of all the image tags
         # and what json files they map to to get env vars, startup cmd, etc.
-        tar.extract("manifest.json", path=tar_dir)
+        tar.extract("manifest.json", path=tar_dir, filter='data')
         manifest_path = os.path.join(tar_dir, "manifest.json")
         manifest = load_json_from_file(manifest_path)
         # if we match a RepoTag to the image, stop searching
@@ -187,7 +187,7 @@ def map_image_from_tar_backwards_compatibility(image_name: str, tar: TarFile, ta
 
     if not info_file:
         return None
-    tar.extract(info_file.name, path=tar_dir)
+    tar.extract(info_file.name, path=tar_dir, filter='data')
 
     # get the path of the json file and read it in
     image_info_file_path = os.path.join(tar_dir, info_file.name)
@@ -259,7 +259,7 @@ def map_image_from_tar(image_name: str, tar: TarFile, tar_location: str):
     # extract just the manifest file and see if any of the RepoTags match the image_name we're searching for
     # the manifest.json should have a list of all the image tags
     # and what json files they map to to get env vars, startup cmd, etc.
-    tar.extract(info_file_name, path=tar_dir)
+    tar.extract(info_file_name, path=tar_dir, filter='data')
     manifest_path = os.path.join(tar_dir, info_file_name)
     manifest = load_json_from_file(manifest_path)
     try:
@@ -274,7 +274,7 @@ def map_image_from_tar(image_name: str, tar: TarFile, tar_location: str):
 
     if not info_file:
         return None
-    tar.extract(info_file, path=tar_dir)
+    tar.extract(info_file, path=tar_dir, filter='data')
 
     # get the path of the json file and read it in
     image_info_file_path = os.path.join(tar_dir, info_file)

src/confcom/azext_confcom/tests/latest/test_confcom_fragment.py

@@ -498,7 +498,7 @@ def test_tar_file_fragment(self):
                 tar_mapping_file = {"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64": filename2}
                 create_tar_file(filename)
                 with TarFile(filename, "r") as tar:
-                    tar.extractall(path=folder)
+                    tar.extractall(path=folder, filter='data')
 
                 with TarFile.open(filename2, mode="w") as out_tar:
                     out_tar.add(os.path.join(folder, "index.json"), "index.json")

src/confcom/azext_confcom/tests/latest/test_confcom_tar.py

@@ -180,7 +180,7 @@ def test_oci_tar_file(self):
                 tar_mapping_file = {"mcr.microsoft.com/aks/e2e/library-busybox:master.220314.1-linux-amd64": filename2}
                 create_tar_file(filename)
                 with TarFile(filename, "r") as tar:
-                    tar.extractall(path=folder)
+                    tar.extractall(path=folder, filter='data')
 
                 with TarFile.open(filename2, mode="w") as out_tar:
                     out_tar.add(os.path.join(folder, "index.json"), "index.json")

src/confcom/setup.py

@@ -19,7 +19,7 @@
 
     logger.warn("Wheel is not available, disabling bdist_wheel hook")
 
-VERSION = "1.2.7"
+VERSION = "1.2.8"
 
 # The full list of classifiers is available at
 # https://pypi.python.org/pypi?%3Aaction=list_classifiers

src/connectedk8s/HISTORY.rst

@@ -2,6 +2,10 @@
 
 Release History
 ===============
+1.10.9
+++++++
+* Security fix: prevent zipslip/directory traversal attacks during tar archive extraction in Arc Connectivity proxy binary processing
+
 1.10.8
 ++++++
 * Force delete parameter updated to `connectedk8s delete` command to allow force deletion of connectedk8s ARM resource.

src/connectedk8s/azext_connectedk8s/clientproxyhelper/_binaryutils.py

@@ -182,7 +182,7 @@ def _extract_proxy_tar_files(
 
                 members.append(member)
 
-        tar.extractall(members=members, path=install_dir)
+        tar.extractall(members=members, path=install_dir, filter='data')
 
 
 def _check_proxy_installation(

src/connectedk8s/setup.py

@@ -13,7 +13,7 @@
 # TODO: Confirm this is the right version number you want and it matches your
 # HISTORY.rst entry.
 
-VERSION = "1.10.8"
+VERSION = "1.10.9"
 
 # The full list of classifiers is available at
 # https://pypi.python.org/pypi?%3Aaction=list_classifiers

src/containerapp/azext_containerapp/tests/latest/test_containerapp_create_update_up_java.py

@@ -37,7 +37,7 @@ def download_java_source(source_path):
                     shutil.rmtree(source_path)
 
                 with tarfile.open(temp_file.name, 'r:gz') as tar:
-                    tar.extractall(path=source_path)
+                    tar.extractall(path=source_path, filter='data')
 
                 os.remove(temp_file.name)
 

src/networkcloud/HISTORY.rst

@@ -3,6 +3,10 @@
 Release History
 ===============
 
+3.0.1
+++++++++
+* Security fix: prevent zipslip/directory traversal attacks during tar archive extraction in custom action result blob processing
+
 3.0.0
 ++++++++
 * This stable version supports NetworkCloud 2025-02-01 APIs.

src/networkcloud/azext_networkcloud/operations/custom_properties.py

@@ -59,7 +59,7 @@ def _output(parent_cmd, *args, **kwargs):  # pylint: disable=unused-argument
                 try:
                     with urllib.request.urlopen(result_url) as result:
                         with tarfile.open(fileobj=result, mode="r:gz") as tar:
-                            tar.extractall(path=output_directory)
+                            tar.extractall(path=output_directory, filter='data')
                             logger.warning(
                                 "Extracted results are available in directory: %s",
                                 output_directory,
@@ -126,7 +126,7 @@ def _output(parent_cmd, *args, **kwargs):  # pylint: disable=unused-argument
                 try:
                     # Extract the downloaded blob
                     with tarfile.open(downloaded_blob_name, mode="r:gz") as tar:
-                        tar.extractall(path=output_directory)
+                        tar.extractall(path=output_directory, filter='data')
                         logger.warning(
                             "Extracted results are available in directory: %s",
                             output_directory,

src/networkcloud/setup.py

@@ -10,7 +10,7 @@
 
 
 # HISTORY.rst entry.
-VERSION = '3.0.0'
+VERSION = '3.0.1'
 
 # The full list of classifiers is available at
 # https://pypi.python.org/pypi?%3Aaction=list_classifiers

src/ssh/HISTORY.md

@@ -1,5 +1,9 @@
 Release History
 ===============
+2.1.0
+-----
+* Security fix: prevent zipslip/directory traversal attacks during tar archive extraction in SSH proxy binary processing
+
 2.0.6
 -----
 * Remove msrestazure dependency

src/ssh/azext_ssh/connectivity_utils.py

@@ -325,7 +325,7 @@ def _extract_proxy_tar_files(proxy_package_path, install_dir, proxy_name):
 
                 members.append(member)
 
-        tar.extractall(members=members, path=install_dir)
+        tar.extractall(members=members, path=install_dir, filter='data')
 
 
 def _check_proxy_installation(install_dir, proxy_name):

src/ssh/setup.py

@@ -7,7 +7,7 @@
 
 from setuptools import setup, find_packages
 
-VERSION = "2.0.6"
+VERSION = "2.1.0"
 
 CLASSIFIERS = [
     'Development Status :: 4 - Beta',