Tests for the Zip Slip vuln raise alarms by ClamAV antivirus... #384
Comments
|
Thanks for reporting this, and sorry for the trouble caused by my patch! One solution would be to exclude the test files from the gem. I'm not sure what the best practice here is. The discussion here suggests that it would be OK to exclude the test files: https://stackoverflow.com/questions/37800233/should-one-include-tests-in-a-packaged-gem There are some counterpoints here: rubygems/rubygems#735 A possible compromise would be to exclude the path traversal test files from the gem and adjust the test suite to skip those tests if they are missing. I'm certainly open to other suggestions. |
|
hi @jdleesmiller, |
Hello,
Since the 21st Sept. I get the following messages from my daily ClamAV scan:
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/rubyzip-1.2.2/test/data/path_traversal/tuzovakaoff/symlink.zip: Sanesecurity.Malware.27384.ZipHeur.ZipSlip.UNOFFICIAL FOUND
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/rubyzip-1.2.2/test/data/path_traversal/relative1.zip: Sanesecurity.Malware.27384.ZipHeur.ZipSlip.UNOFFICIAL FOUND
/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/rubyzip-1.2.2/test/data/path_traversal/jwilk/relative2.zip: Sanesecurity.Malware.27384.ZipHeur.ZipSlip.UNOFFICIAL FOUND
This is because the Sanesecurity signature base gets those three files as vulnerable to a known risk.
I understand those files come from the commit d07b13a (Merge pull request #376 from jdleesmiller/fix-cve-2018-1000544) for version 1.2.2, which fixes the Zip Slip (CVE-2018-1000544) vulnerability.
Would it be possible to just delete those files?
Kind regards,
-- Maxime DERCHE
The text was updated successfully, but these errors were encountered: