fix: Arbitrary file access during archive extraction a filepath.Join Path Traversal

[odaysec]

devtron/util/helper.go

Line 186 in 680616b

header, err := tarReader.Next()

devtron/util/helper.go

Lines 197 to 198 in 680616b

	if _, err := os.Stat(filepath.Join(chartDir, header.Name)); os.IsNotExist(err) {
	if err := os.MkdirAll(filepath.Join(chartDir, header.Name), 0755); err != nil {

devtron/util/helper.go

Lines 206 to 213 in 680616b

	outFile, err := os.Create(filepath.Join(chartDir, header.Name))
	if err != nil {
	dirName := filepath.Dir(header.Name)
	if _, err1 := os.Stat(filepath.Join(chartDir, dirName)); os.IsNotExist(err1) {
	if err1 = os.MkdirAll(filepath.Join(chartDir, dirName), 0755); err1 != nil {
	return err1
	}
	outFile, err = os.Create(filepath.Join(chartDir, header.Name))

Extracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths. zip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (..). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.

fix the "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" vulnerability, we must ensure that files extracted from the tar archive cannot escape the intended extraction directory (chartDir). The best way to do this is to:

1. Clean the archive entry name using filepath.Clean.
2. Ensure the resulting path is not absolute and does not contain any .. elements that would traverse outside the target directory.
3. Construct the full output path using filepath.Join(chartDir, cleanedName).
4. After joining, check that the resulting path is still within chartDir (i.e., it has not escaped via symlinks or traversal).

We should perform these checks before any filesystem operation (directory creation, file writing, etc.) that uses the archive entry name.

Required changes:

• Add a helper function (within this file) to validate and join the archive entry name safely.
• Use this function to get the output path for all file and directory operations in ExtractTarGz.
• Add necessary imports if not already present (e.g., path/filepath, strings are already imported).

Checklist:

• The title of the PR states what changed and the related issues number (used for the release note).
• Does this PR requires documentation updates?
• I've updated documentation as required by this PR.
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have tested it for all user roles.
• I have added all the required unit/api test cases.

Does this PR introduce a user-facing change?

Summary by Bito

This PR fixes a critical security vulnerability by preventing directory traversal attacks in the archive extraction process. It introduces a safeJoin function in util/helper.go to validate file paths and ensure all filesystem operations remain within the intended directory.

[bito-code-review]

Code Review Agent Run #ed2851

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: 12c7990..12c7990

  • util/helper.go
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at [email protected].

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[bito-code-review]

Changelist by Bito

This pull request implements the following key changes.

Key Change	Files Impacted
Bug Fix - Security Fixes in Archive Extraction	- helper.go - Introduced a safeJoin helper to validate archive entry names and enforce path restrictions, preventing directory traversal vulnerabilities.

[bito-code-review]

Bito's AI Code Review trial is almost over
Your free trial of Bito's AI Code Reviews was setup by [email protected] and is nearly over. Let them know if you'd like to continue getting complete reviews.

Sign in to upgrade

About Bito
Merge PRs 89% faster, with 34% fewer regressions, and 87% of relevant PR feedback provided by Bito's AI Code Reviews. Trusted by 100,000+ developers and 1,000+ engineering teams.