JFROG CLI: Extracting archives while downloading an artifact

JFROG CLI: Extracting archives while downloading an artifact

AuthorFullName__c
Jordan Tangy
articleNumber
000006047
ft:sourceType
Salesforce
FirstPublishedDate
2024-03-06T12:13:09Z
lastModifiedDate
2024-03-21
VersionNumber
2

When utilizing JFrog CLI to download an artifact from a repository, the latter can be downloaded and simultaneously unarchived using the ‘--explode’ flag.

For instance, the command below retrieves the 'npm-example-0.0.3.tgz' artifact and concurrently extracts its contents:

$ jf rt dl jordanta-npm-local/npm-example/-/npm-example-0.0.3.tgz --explode=true


17:49:30 [Info] Log path: /Users/jordanta/.jfrog/logs/jfrog-cli.2024-03-04.17-49-30.96470.log
{
"status": "success",
"totals": {
}
"success": 1,
"failure": 0
}
However, some archives may encounter extraction issues and consequently generate an error message. For example, attempting to download and extract the following ‘dummy_folder.tgz ‘ archive will result in a failure:
$ jf rt dl test-repo/dummy_folder.tgz --explode=true

18:03:46 [🔵Info] Log path: /Users/jordanta/.jfrog/logs/jfrog-cli.2024-03-17.18-03-46.24983.log
18:03:53 [🚨Error] download finished with errors, please review the logs
When reviewing the logs, the error indicates a possible Zip-Slip exploit:
[Info] Searching items to download...
[Info] [Thread 2] Downloading test-repo/dummy_folder.tgz
[Info] [Thread 2] [0]: 206 Partial Content...
[Info] [Thread 2] [2]: 206 Partial Content...
[Info] [Thread 2] [1]: 206 Partial Content...
[Info] [Thread 2] Extracting archive: /Users/jordanta/Downloads/dummy_folder.tgz to /Users/jordanta/Downloads/
[Error] [Thread 2]  Received an error: walking ..: illegal path in archive: '../'. To prevent Zip Slip exploit, the path can't lead to an entry outside '/Users/jordanta/Downloads/'
[Error] walking ..: illegal path in archive: '../'. To prevent Zip Slip exploit, the path can't lead to an entry outside '/Users/jordanta/Downloads/'
[Error] walking ..: illegal path in archive: '../'. To prevent Zip Slip exploit, the path can't lead to an entry outside '/Users/jordanta/Downloads/'
This error occurs because of the folder structure of the archive:

User-added image


The JFrog Security team uncovered a new vulnerability in plexus-archiver, a tool for creating and extracting archives.
Despite a previous fix in 2018, the package remained susceptible to a ZipSlip-like attack.
This vulnerability occurs during archive extraction when entries containing "../" in their names are allowed to be written to the filesystem, resulting in unauthorized file writes beyond the extraction directory.

Therefore, to prevent such vulnerabilities from being exploited, JFrog CLI prevents extracting archives containing “../” entries with the “--explode” flag alone.

To address this error, a workaround is available by utilizing the '--bypass-archive-inspection' flag in conjunction with the '--explode' tag.
$ jf rt dl test-repo/dummy_folder.tgz --explode=true --bypass-archive-inspection
The ‘--bypass-archive-inspection’ flag may be used with precaution since it enables unarchiving artifacts with potential ZipSlip vulnerabilities.

More technical information about this topic is available at this link.