pySCG pillar 664 base 409 #944
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
myteron
commented
Jul 15, 2025
myteron
commented
- Adding doc for CWE409 as part of pySCG: Doc2GitHub, moving code from an internal confluence to this GitHub space. #531
- Updated TEMPLATE_README.md with html table tags
Signed-off-by: Helge Wehder <[email protected]>
Signed-off-by: Helge Wehder <[email protected]>
Signed-off-by: Helge Wehder <[email protected]>
Signed-off-by: Helge Wehder <[email protected]>
Signed-off-by: Helge Wehder <[email protected]>
|
reviewing |
dwiley258
reviewed
Jul 17, 2025
|
|
||
| ## Non-Compliant Code Example - No File Validation | ||
|
|
||
| The `noncompliant01.py` example simply extracts all the files in the archive without performing any verification. The `extractall()` method will attempt to normalize the path name. Any archive from an untrusted source should be inspected prior to extraction. There is no attempt to control where the files are extracted, which is the script current working directory. |
There was a problem hiding this comment.
In this confluence it is written
"The extractall() method will attempt to normalize the path name but any archive"
the way it is here doesn't read right to me.
s19110
reviewed
Jul 17, 2025
| </tr> | ||
| <tr> | ||
| <td><a href="http://cwe.mitre.org/">MITRE CWE</a></td> | ||
| <td>Base: <a href="https://cwe.mitre.org/data/definitions/1335.html">[CWE-1335: Incorrect Bitwise Shift of Integer (4.12)]</a></td> |
There was a problem hiding this comment.
I think it's worth keeping the info about CWEs being marked as either Base or Class. New contributors may not realize you have to check that on the official website.
Suggested change
| <td>Base: <a href="https://cwe.mitre.org/data/definitions/1335.html">[CWE-1335: Incorrect Bitwise Shift of Integer (4.12)]</a></td> | |
| <td>Base or Class (choose which one it is based on the abstraction on the CWE page): <a href="https://cwe.mitre.org/data/definitions/1335.html">[CWE-1335: Incorrect Bitwise Shift of Integer (4.12)]</a></td> |
| <td>[SEI CERT C 2025]</td> | ||
| <td>CERT C Coding Standard [online]. Available from: <a href=https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Coding+Standard>https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Coding+Standard</a> [Accessed 6 May 2025]</td> | ||
| </tr> | ||
| </table> |
There was a problem hiding this comment.
The link to the reference guide is missing.
Suggested change
| </table> | |
| </table> | |
| When writing bibliography, follow the [Harvard reference guide](https://dkit.ie.libguides.com/harvard/citing-referencing) |
There was a problem hiding this comment.
This file seems unrelated to the pull request. I can't find this CWE on the main branch. Was it added by accident or will the readme and the other code examples be added later?
|
|
||
| The `noncompliant01.py` code will extract any quantity of payloads. With a unmodified `example01.py` we get only `4 x 150MB` `zipbombfileX.txt`'s that are much bigger than the `0.58MB` `zip_attack_test.zip` archive. | ||
|
|
||
| The directory traversal payload will try to extract a `\Temp\zip_slip_windows.txt` for Windows and a `/tmp/zip_slip_posix.txt` for Unix based systems. Depending on the zip library in use the files may either end up in their indented target, under the same directory as the `zipbombfile.txt` files, or not at all. |
There was a problem hiding this comment.
Indented means it has a zigzag pattern, like Python code where we change the indents for different code blocks! I think you meant "intended":
Suggested change
| The directory traversal payload will try to extract a `\Temp\zip_slip_windows.txt` for Windows and a `/tmp/zip_slip_posix.txt` for Unix based systems. Depending on the zip library in use the files may either end up in their indented target, under the same directory as the `zipbombfile.txt` files, or not at all. | |
| The directory traversal payload will try to extract a `\Temp\zip_slip_windows.txt` for Windows and a `/tmp/zip_slip_posix.txt` for Unix based systems. Depending on the zip library in use the files may either end up in their intended target, under the same directory as the `zipbombfile.txt` files, or not at all. |
|
|
||
| Experiment with the code by varying the `MAXSIZE`. | ||
|
|
||
| The `noncompliant02.py` code example tries to check the file_size from the `ZipInfo` instances provided by the `infolist()` method from `ZipFile`. This information is read from the `zip` archive metadata, so it is not reliable and can be forged by an attacker. The `extract()` method will attempt to normalize the path name. Again, there is no attempt to control where the files are extracted to in order to prevent traversal attacks. The underlaying zip library may or may not prevent traversal attacks. |
There was a problem hiding this comment.
Backticks + spelling fix:
Suggested change
| The `noncompliant02.py` code example tries to check the file_size from the `ZipInfo` instances provided by the `infolist()` method from `ZipFile`. This information is read from the `zip` archive metadata, so it is not reliable and can be forged by an attacker. The `extract()` method will attempt to normalize the path name. Again, there is no attempt to control where the files are extracted to in order to prevent traversal attacks. The underlaying zip library may or may not prevent traversal attacks. | |
| The `noncompliant02.py` code example tries to check the `file_size` from the `ZipInfo` instances provided by the `infolist()` method from `ZipFile`. This information is read from the `zip` archive metadata, so it is not reliable and can be forged by an attacker. The `extract()` method will attempt to normalize the path name. Again, there is no attempt to control where the files are extracted to in order to prevent traversal attacks. The underlying zip library may or may not prevent traversal attacks. |
|
|
||
| ``` | ||
|
|
||
| Depending on the underlaying zip library we should see `noncompliant02.py` prevent a zip bomb but not a traversal attack. |
There was a problem hiding this comment.
Typo:
Suggested change
| Depending on the underlaying zip library we should see `noncompliant02.py` prevent a zip bomb but not a traversal attack. | |
| Depending on the underlying zip library we should see `noncompliant02.py` prevent a zip bomb but not a traversal attack. |
Comment on lines
14
to
15
| class ZipExtractException(Exception): | ||
| """Custom Exception""" |
There was a problem hiding this comment.
Couldn't we use the built-in ValueError instead of creating a custom exception with no distinct characteristics?
| ZipExtractException: If there are to big files | ||
| ZipExtractException: If a directory traversal is detected | ||
| """ | ||
| # TODO: avoid exposing sensitive data to a lesser trusted entity via errors |
There was a problem hiding this comment.
We could reference CWE-209 to give an example of how to do it once that rule gets merged :D
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.