Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 659f4e1

Browse files
pixeeaipixeeai
authored
Revert "Introduced protections against "zip slip" attacks (#1)" (#3)
This reverts commit 68d534e.
1 parent fb9be77 commit 659f4e1

File tree

4 files changed

+4
-8
lines changed

4 files changed

+4
-8
lines changed

core/src/main/java/io/kestra/plugin/core/flow/WorkingDirectory.java

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,6 @@
11
package io.kestra.plugin.core.flow;
22

33
import com.fasterxml.jackson.core.type.TypeReference;
4-
import io.github.pixee.security.ZipSecurity;
54
import io.kestra.core.exceptions.IllegalVariableEvaluationException;
65
import io.kestra.core.models.annotations.Example;
76
import io.kestra.core.models.annotations.Plugin;
@@ -243,7 +242,7 @@ public void preExecuteTasks(RunContext runContext, TaskRun taskRun) throws Excep
243242
if (maybeCacheFile.isPresent()) {
244243
runContext.logger().debug("Cache exist, downloading it");
245244
// download the cache if exist and unzip all entries
246-
try (ZipInputStream archive = ZipSecurity.createHardenedInputStream(maybeCacheFile.get())) {
245+
try (ZipInputStream archive = new ZipInputStream(maybeCacheFile.get())) {
247246
ZipEntry entry;
248247
while ((entry = archive.getNextEntry()) != null) {
249248
if (!entry.isDirectory()) {

webserver/src/main/java/io/kestra/webserver/controllers/api/FlowController.java

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
11
package io.kestra.webserver.controllers.api;
22

3-
import io.github.pixee.security.ZipSecurity;
43
import io.kestra.core.exceptions.IllegalVariableEvaluationException;
54
import io.kestra.core.exceptions.InternalException;
65
import io.kestra.core.models.SearchResult;
@@ -755,7 +754,7 @@ public HttpResponse<Void> importFlows(
755754
this.importFlow(tenantId, source.trim());
756755
}
757756
} else if (fileName.endsWith(".zip")) {
758-
try (ZipInputStream archive = ZipSecurity.createHardenedInputStream(fileUpload.getInputStream())) {
757+
try (ZipInputStream archive = new ZipInputStream(fileUpload.getInputStream())) {
759758
ZipEntry entry;
760759
while ((entry = archive.getNextEntry()) != null) {
761760
if (entry.isDirectory() || !entry.getName().endsWith(".yml") && !entry.getName().endsWith(".yaml")) {

webserver/src/main/java/io/kestra/webserver/controllers/api/NamespaceFileController.java

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
11
package io.kestra.webserver.controllers.api;
22

3-
import io.github.pixee.security.ZipSecurity;
43
import io.kestra.core.services.FlowService;
54
import io.kestra.core.storages.FileAttributes;
65
import io.kestra.core.storages.NamespaceFile;
@@ -138,7 +137,7 @@ public void createFile(
138137
) throws IOException, URISyntaxException {
139138
String tenantId = tenantService.resolveTenant();
140139
if(fileContent.getFilename().toLowerCase().endsWith(".zip")) {
141-
try (ZipInputStream archive = ZipSecurity.createHardenedInputStream(fileContent.getInputStream())) {
140+
try (ZipInputStream archive = new ZipInputStream(fileContent.getInputStream())) {
142141
ZipEntry entry;
143142
while ((entry = archive.getNextEntry()) != null) {
144143
if (entry.isDirectory()) {

webserver/src/main/java/io/kestra/webserver/controllers/api/TemplateController.java

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
11
package io.kestra.webserver.controllers.api;
22

3-
import io.github.pixee.security.ZipSecurity;
43
import io.kestra.core.models.templates.Template;
54
import io.kestra.core.models.templates.TemplateEnabled;
65
import io.kestra.core.models.validations.ManualConstraintViolation;
@@ -357,7 +356,7 @@ public HttpResponse<Void> importTemplates(@Parameter(description = "The file to
357356
importTemplate(parsed);
358357
}
359358
} else if (fileName.endsWith(".zip")) {
360-
try (ZipInputStream archive = ZipSecurity.createHardenedInputStream(fileUpload.getInputStream())) {
359+
try (ZipInputStream archive = new ZipInputStream(fileUpload.getInputStream())) {
361360
ZipEntry entry;
362361
while ((entry = archive.getNextEntry()) != null) {
363362
if (entry.isDirectory() || !entry.getName().endsWith(".yml") && !entry.getName().endsWith(".yaml")) {

0 commit comments

Comments
 (0)