plugin-ext: update 'decompress' #7319
Comments
vince-fugnitto
added
dependencies
|
I think we're decompressing with zip for |
Thank you, we should find a suitable alternative that handles them all. |
|
@vince-fugnitto @marcdumais-work @spoenemann maybe it is time to publish next versions as preview extensions into our registry and drop npm support |
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. This commit includes an archive that will trigger the exploit by writing a file to `/tmp/slipped.txt`. This comes from kevva/decompress#71 (comment) Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. This commit includes an archive that will trigger the exploit by writing a file to `/tmp/slipped.txt`. This comes from kevva/decompress#71 (comment) Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
Does this refer to the fact that we initially published the VS Code builtins on npm? Are there other VS Code extensions published on npm that we know about? Anyway, will not npm/yarn take care of unzipping the archive downloaded from npm? Can we drop Note: |
Yes, it is only about built-ins.
We don't use npm/yarn to download anything. @spoenemann Is there a way to publish a new version to Open VSX Registry but not like latest? What we need is to have for exactly the same unique id to versions one latest for tested version and one next to nightly build. |
Fix zip-slip by validating where a given file will be unpacked. If the expected path is outside of the destination folder: log a warning and ignore the file. This commit includes an archive that will trigger the exploit by writing a file to `/tmp/slipped.txt`. This comes from magicOz, who reported the vulnerability on kevva's decompress repository (issue 71). Fixes #7319 Signed-off-by: Paul Maréchal <paul.marechal@ericsson.com>
|
package.json has a |
|
@spoenemann It sounds fine. I'm more concerned whether current registry api can provide a stable URI for latest and next versions? i.e. something like |
vince-fugnitto
changed the title
Description
The
decompressdependency (part ofplugin-ext) has a known security vulnerability which has been reported by the security-audit.The issue is that
decompressis not well-maintained (3 years since the last release) and it is unlikely that the flaw will be resolved. We should instead opt for a license compatible alternative which is maintained.Update
decompresshas been updated and no longer has a security advisory so there is no need to find an alternative, we can instead update the dependency todecompress >= 4.2.1The text was updated successfully, but these errors were encountered: