Skip to content

Fix Zip Slip vulnerability (CWE-22) in GenClass#28226

Closed
srikantharun wants to merge 2 commits intobazelbuild:masterfrom
srikantharun:fix/genclass-zipslip-cwe22
Closed

Fix Zip Slip vulnerability (CWE-22) in GenClass#28226
srikantharun wants to merge 2 commits intobazelbuild:masterfrom
srikantharun:fix/genclass-zipslip-cwe22

Conversation

@srikantharun
Copy link
Copy Markdown

@srikantharun srikantharun commented Jan 10, 2026
edited
Loading

Summary

Fixes a path traversal vulnerability (CWE-22) in GenClass.java that allows malicious JAR files to write files outside the intended extraction directory.

Problem

The extractGeneratedClasses method in GenClass accepts JarEntry.getName() values directly without path validation. A malicious JAR with entries containing ../ sequences could escape the extraction root and write files anywhere on the filesystem.

Solution

Two-layer protection:

1. Path normalization check:

Path outputPath = tempDir.resolve(name).normalize();
if (!outputPath.startsWith(tempDir)) {
    throw new IOException("Zip entry would escape extraction directory (Zip Slip attack)");
}

2. TOCTOU protection via symlink verification:

Files.createDirectories(parent);
if (!parent.toRealPath().startsWith(tempDir.toRealPath())) {
    throw new IOException("Zip entry would escape via symlink (Zip Slip attack)");
}

This prevents both:

  • Basic ../ path traversal attacks
  • Time-of-check to Time-of-use (TOCTOU) race conditions via symlinks

Security Impact

Prevents supply chain attacks where compromised transitive dependencies could achieve arbitrary file writes on developer machines or CI/CD runners, undermining Bazel's hermeticity guarantees.

Test plan

  • Code compiles
  • Path validation follows standard Zip Slip mitigation pattern
  • TOCTOU protection via toRealPath() verification

Fixes #28120

@srikantharun
Fix Zip Slip vulnerability (CWE-22) in GenClass
38f4a58 
GenClass.java was vulnerable to path traversal attacks when extracting
JAR entries. A malicious JAR file could contain entries with names like
"../../../etc/malicious.class" which would be written outside the
intended temporary extraction directory.

This fix:
- Normalizes the output path after resolving against tempDir
- Validates that the normalized path still starts with tempDir
- Throws IOException if a Zip Slip attack is detected

This prevents supply chain attacks where compromised transitive
dependencies could achieve arbitrary file writes on developer machines
or CI/CD runners.

Fixes bazelbuild#28120
@srikantharun srikantharun requested a review from a team as a code owner January 10, 2026 20:49
@github-actions github-actions Bot added team-Rules-Java Issues for Java rules awaiting-review PR is awaiting review from an assigned reviewer labels Jan 10, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jan 10, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly addresses the core Zip Slip vulnerability (CWE-22) by normalizing and validating the destination path for extracted JAR entries. This is a crucial security improvement. However, the current implementation remains vulnerable to a Time-of-check to Time-of-use (TOCTOU) race condition. An attacker could potentially use symlinks to bypass the validation between the path check and the file write operation. I have added a high-severity comment with a suggested code change to mitigate this race condition by verifying the real path of the parent directory after its creation.

Comment thread src/java_tools/buildjar/java/com/google/devtools/build/buildjar/genclass/GenClass.java Outdated
@srikantharun
Address review: Add TOCTOU protection via symlink check
cb9deba 
Add additional protection against Time-of-check to Time-of-use
(TOCTOU) race conditions where an attacker could create a symlink
after the initial path validation but before file write.

After creating parent directories, verify the real path (resolving
symlinks) is still within tempDir bounds.
@srikantharun srikantharun force-pushed the fix/genclass-zipslip-cwe22 branch from 3a596dd to cb9deba Compare January 10, 2026 20:55
@hvadehra
Copy link
Copy Markdown
Member

hvadehra commented Jan 14, 2026

I think this was done differently in 559326a

@hvadehra hvadehra closed this Jan 14, 2026
@github-actions github-actions Bot removed the awaiting-review PR is awaiting review from an assigned reviewer label Jan 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

team-Rules-Java Issues for Java rules

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Zip Slip (CWE-22) hermeticity and diagnostic quality issue in GenClass

2 participants

@srikantharun @hvadehra