xeraph
commented
2 years ago Hmm.. Someone may implement this issue. However I don't want any additional dependency. Scanner will get complicated to support nested scanning and patching.
Open arykov opened 2 years ago
xeraph
commented
2 years ago Hmm.. Someone may implement this issue. However I don't want any additional dependency. Scanner will get complicated to support nested scanning and patching.
pinacoelho
commented
2 years ago Since tar.gz isn't usable by a java application, this would add complexity without identifying vulnerable applications. We should keep the focus on the directly usable formarts (JAR/EAR/WAR).
arykov
commented
2 years ago @pinacoelho, agreed on complexity(relative to zip). But disagree on value. There frequently are cases when software is distributed or backed up this way. So there is a risk of reintroduction of the problem. I assume you had the same rationale when implementing zip support and deciding not to limit "nesting" at 3 ear->war->jar
pinacoelho
commented
2 years ago So there is a risk of reintroduction of the problem.
There's always a risk, but while going down tar.gz's would cover that, it doesn't cover off-machine backups (Veritas NetBackup, IBM TSM, etc...). Also, backups are sacred: as a sysadmin, whatever I've put in a backup, I expect to be there when I restore (for whatever reason), and that's non-negotiable from sysadmin and audit PoVs.
I assume you had the same rationale when implementing zip support and deciding not to limit "nesting" at 3 ear->war->jar
Not my rationale, but in my opinion a valid one. EARs/WARs are archives of archives, so to find the JAR that you're running, you have to go inside.
This is Xeraph's brainchild, it would be up to him to decide.
Would be good to add tar.gz support at least for scanning at least at the top level.