SonarQube 问题:确保解压缩此存档文件是安全的
SonarQube issue: Make sure that decompressing this archive file is safe
我有代码可以从 3 个字符串创建 3 个文件并将其压缩到存档中,例如:
private static async Task<byte[]> CreateArchive(CertificateCredentials certificate)
{
using (var ms = new MemoryStream())
{
using (var archive = new ZipArchive(ms, ZipArchiveMode.Create, false))
{
await Add(archive, "certificate.der", certificate.CertificateContent);
await Add(archive, "issuing_ca.der", certificate.IssuingCACertificateContent);
await Add(archive, "private_key.der", certificate.PrivateKeyContent);
}
return ms.ToArray();
async Task Add(ZipArchive zipArchive, string filename, string content)
{
ZipArchiveEntry zipEntry = zipArchive.CreateEntry(filename);
using (var originalFileStream = new MemoryStream(Convert.FromBase64String(content)))
using (Stream zipEntryStream = zipEntry.Open())
{
await originalFileStream.CopyToAsync(zipEntryStream);
}
}
}
}
在 SonarQube 报告中,我在这一行发现了 Critical Security Hotspot
using (Stream zipEntryStream = zipEntry.Open())
留言:
Make sure that decompressing this archive file is safe
https://rules.sonarsource.com/csharp?search=Expanding%20archive%20files%20is%20security-sensitive
我该如何解决?对我来说看起来很安全。
提前致谢
关于与安全相关的规则,您可以找到实际文档 here. You can read in the "What to expect from security-related rules" that the chance of false positives is greater and that a human should have a look at it when an issue is raised. So, given the example, it is well possible that this issue can be identified as a false positive and no code change is needed. In the user guide you can find here how to handle reported issues. In the "Automatic Issue Assignment" section (Technical Review) you can read how to mark an issue as a false-positive (this requires Administer Issues permission on the project) using the SonarQube UI. This prevents future issue reporting on this code. When there are a lot of issues reported based on this rule you could decide to disable the rule or lower its priority. An other possiblity is to narrow the focus,例如忽略几个块中的问题。这完全取决于项目类型和 project/security 要求。
编辑:
规则对以下问题发出警告:
- CVE-2018-1263:可以构建一个(外部)zip 文件,这些文件在提取时将放置在提取目录之外。将文件添加到 zip 时,文件将在 zip 中通过文件名(如果需要,包括路径)进行标识。 CVE 数据库还没有提到一个例子。
- CVE-2018-16131:可以创建一个(外部)zip,在提取时会消耗所有可用内存,这会使主机崩溃 ('Zip Bomb')。 CVE 数据库指向 this 有人成功利用此问题的问题。
SonarQube 不想知道 ZipArchive 是如何实现的。很有可能,在向 zip 添加新项目时,如果首先提取原始 Zip,就会暴露上述问题。您正在自己的代码中创建和使用(在内存中,但这不是很相关)zip 存档,而不是使用 任何外部提供的 zip 文件 所以如果您信任所用方法的 .Net 实现。
SonarQube 文档还指向 this Java 包含安全兼容解决方案的示例。即使那样,SonarQube 也很有可能会警告您。
我有代码可以从 3 个字符串创建 3 个文件并将其压缩到存档中,例如:
private static async Task<byte[]> CreateArchive(CertificateCredentials certificate)
{
using (var ms = new MemoryStream())
{
using (var archive = new ZipArchive(ms, ZipArchiveMode.Create, false))
{
await Add(archive, "certificate.der", certificate.CertificateContent);
await Add(archive, "issuing_ca.der", certificate.IssuingCACertificateContent);
await Add(archive, "private_key.der", certificate.PrivateKeyContent);
}
return ms.ToArray();
async Task Add(ZipArchive zipArchive, string filename, string content)
{
ZipArchiveEntry zipEntry = zipArchive.CreateEntry(filename);
using (var originalFileStream = new MemoryStream(Convert.FromBase64String(content)))
using (Stream zipEntryStream = zipEntry.Open())
{
await originalFileStream.CopyToAsync(zipEntryStream);
}
}
}
}
在 SonarQube 报告中,我在这一行发现了 Critical Security Hotspot
using (Stream zipEntryStream = zipEntry.Open())
留言:
Make sure that decompressing this archive file is safe
https://rules.sonarsource.com/csharp?search=Expanding%20archive%20files%20is%20security-sensitive
我该如何解决?对我来说看起来很安全。
提前致谢
关于与安全相关的规则,您可以找到实际文档 here. You can read in the "What to expect from security-related rules" that the chance of false positives is greater and that a human should have a look at it when an issue is raised. So, given the example, it is well possible that this issue can be identified as a false positive and no code change is needed. In the user guide you can find here how to handle reported issues. In the "Automatic Issue Assignment" section (Technical Review) you can read how to mark an issue as a false-positive (this requires Administer Issues permission on the project) using the SonarQube UI. This prevents future issue reporting on this code. When there are a lot of issues reported based on this rule you could decide to disable the rule or lower its priority. An other possiblity is to narrow the focus,例如忽略几个块中的问题。这完全取决于项目类型和 project/security 要求。
编辑:
规则对以下问题发出警告:
- CVE-2018-1263:可以构建一个(外部)zip 文件,这些文件在提取时将放置在提取目录之外。将文件添加到 zip 时,文件将在 zip 中通过文件名(如果需要,包括路径)进行标识。 CVE 数据库还没有提到一个例子。
- CVE-2018-16131:可以创建一个(外部)zip,在提取时会消耗所有可用内存,这会使主机崩溃 ('Zip Bomb')。 CVE 数据库指向 this 有人成功利用此问题的问题。
SonarQube 不想知道 ZipArchive 是如何实现的。很有可能,在向 zip 添加新项目时,如果首先提取原始 Zip,就会暴露上述问题。您正在自己的代码中创建和使用(在内存中,但这不是很相关)zip 存档,而不是使用 任何外部提供的 zip 文件 所以如果您信任所用方法的 .Net 实现。
SonarQube 文档还指向 this Java 包含安全兼容解决方案的示例。即使那样,SonarQube 也很有可能会警告您。