Fix Zip Slip vulnerability (CWE-22) in GenClass #28226
Open
+18
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GenClass.java was vulnerable to path traversal attacks when extracting JAR entries. A malicious JAR file could contain entries with names like "../../../etc/malicious.class" which would be written outside the intended temporary extraction directory. This fix: - Normalizes the output path after resolving against tempDir - Validates that the normalized path still starts with tempDir - Throws IOException if a Zip Slip attack is detected This prevents supply chain attacks where compromised transitive dependencies could achieve arbitrary file writes on developer machines or CI/CD runners. Fixes bazelbuild#28120
github-actions
bot
added
team-Rules-Java
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly addresses the core Zip Slip vulnerability (CWE-22) by normalizing and validating the destination path for extracted JAR entries. This is a crucial security improvement. However, the current implementation remains vulnerable to a Time-of-check to Time-of-use (TOCTOU) race condition. An attacker could potentially use symlinks to bypass the validation between the path check and the file write operation. I have added a high-severity comment with a suggested code change to mitigate this race condition by verifying the real path of the parent directory after its creation.
src/java_tools/buildjar/java/com/google/devtools/build/buildjar/genclass/GenClass.java
Outdated
Show resolved
Hide resolved
Add additional protection against Time-of-check to Time-of-use (TOCTOU) race conditions where an attacker could create a symlink after the initial path validation but before file write. After creating parent directories, verify the real path (resolving symlinks) is still within tempDir bounds.
srikantharun
force-pushed
the
fix/genclass-zipslip-cwe22
branch
from
3a596dd to
cb9deba
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a path traversal vulnerability (CWE-22) in
GenClass.javathat allows malicious JAR files to write files outside the intended extraction directory.Problem
The
extractGeneratedClassesmethod in GenClass acceptsJarEntry.getName()values directly without path validation. A malicious JAR with entries containing../sequences could escape the extraction root and write files anywhere on the filesystem.Solution
Two-layer protection:
1. Path normalization check:
2. TOCTOU protection via symlink verification:
This prevents both:
../path traversal attacksSecurity Impact
Prevents supply chain attacks where compromised transitive dependencies could achieve arbitrary file writes on developer machines or CI/CD runners, undermining Bazel's hermeticity guarantees.
Test plan
toRealPath()verificationFixes #28120