Skip to content

Solve Zip Slip Path Traversal in quarkus-openapi-generator ApicurioCodegenWrapper#1524

Merged
ricardozanini merged 1 commit intoquarkiverse:mainfrom
mcruzdev:cwe-22
Apr 7, 2026
Merged

Solve Zip Slip Path Traversal in quarkus-openapi-generator ApicurioCodegenWrapper#1524
ricardozanini merged 1 commit intoquarkiverse:mainfrom
mcruzdev:cwe-22

Conversation

@mcruzdev
Copy link
Copy Markdown
Member

@mcruzdev mcruzdev commented Apr 6, 2026

This pull request strengthens the security of the ZIP extraction logic in ApicurioCodegenWrapper by preventing path traversal attacks, and adds comprehensive unit tests to verify this behavior.

Security improvements:

  • Updated the unzip method in ApicurioCodegenWrapper to validate that each ZIP entry is extracted only within the intended output directory, throwing an exception if a path traversal attempt is detected.

Testing enhancements:

  • Added a new test class ApicurioCodegenWrapperTest with tests that:
    • Verify safe extraction of regular ZIP entries.
    • Ensure extraction fails with an appropriate error when a ZIP entry attempts path traversal.

@mcruzdev mcruzdev requested a review from a team as a code owner April 6, 2026 21:39
@mcruzdev mcruzdev changed the title Solve Zip Slip Path Traversal in quarkus-openapi-generator ApicurioCo… Solve Zip Slip Path Traversal in quarkus-openapi-generator ApicurioCodegenWrapper Apr 6, 2026
@ricardozanini
Copy link
Copy Markdown
Member

ricardozanini commented Apr 6, 2026

cc @oscerd, would you like to take a look since you reported it?

oscerd
oscerd reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@oscerd oscerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Thanks for fixing!

@mcruzdev
Solve Zip Slip Path Traversal in quarkus-openapi-generator ApicurioCo…
3b4da73 
…degenWrapper class

Signed-off-by: Matheus Cruz <matheuscruz.dev@gmail.com>
@ricardozanini ricardozanini merged commit 08b4064 into quarkiverse:main Apr 7, 2026
11 checks passed
@mcruzdev mcruzdev mentioned this pull request Apr 7, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ricardozanini ricardozanini ricardozanini approved these changes

+1 more reviewer

@oscerd oscerd oscerd approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport-main-lts

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mcruzdev @ricardozanini @oscerd