Skip to content

[Security] Harden archiver against Zip Slip traversal#7593

Draft
gonzaloriestra wants to merge 1 commit into
mainfrom
jules-security-harden-archiver-zip-slip-5148143385783206268
Draft

[Security] Harden archiver against Zip Slip traversal#7593
gonzaloriestra wants to merge 1 commit into
mainfrom
jules-security-harden-archiver-zip-slip-5148143385783206268

Conversation

@gonzaloriestra
Copy link
Copy Markdown
Contributor

@gonzaloriestra gonzaloriestra commented May 21, 2026

WHY are these changes introduced?

To prevent Zip Slip vulnerabilities where files outside the intended input directory could be included in archives via path traversal patterns in glob expressions.

WHAT is this pull request doing?

This PR hardens the zip and brotliCompress utilities in @shopify/cli-kit by:

  • Filtering the results of directory globs to ensure all files are within the input directory using isSubpath.
  • Adding a "fail-closed" safety check in the internal archiveFile helper that throws an AbortError if a path escapes the trust boundary.
  • Adding a regression test in archiver.integration.test.ts that specifically verifies traversal attempts are blocked.

How to test your changes?

CI

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes
  • I've considered analytics changes to measure impact
  • The change is user-facing — I've identified the correct bump type (patch for bug fixes · minor for new features · major for breaking changes) and added a changeset with pnpm changeset add

PR created automatically by Jules for task 5148143385783206268 started by @gonzaloriestra

@gonzaloriestra
[Security] Harden archiver against Zip Slip traversal
51df086 
This change prevents files outside the input directory from being included in archives when using `zip` or `brotliCompress`. It validates that all files matched by glob patterns are subpaths of the intended input directory.

- Filter paths using `isSubpath` in `zip` and `brotliCompress`.
- Add a safety check in `archiveFile` helper.
- Add regression test in `archiver.integration.test.ts`.
@google-labs-jules
Copy link
Copy Markdown

google-labs-jules Bot commented May 21, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@github-actions github-actions Bot added the no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users. label May 21, 2026
@gonzaloriestra gonzaloriestra added the Jules Created by Jules label May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Jules Created by Jules no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users. security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gonzaloriestra