Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds a useful feature to allow running the studio:export command directly on a zip file. However, it introduces a critical path traversal vulnerability (Zip Slip) due to improper extraction directory handling and flawed path validation in the underlying unzip logic, making it susceptible to denial-of-service attacks via memory exhaustion or Zip Bombs. Additionally, there are general suggestions, including a high-severity recommendation to prevent potential data loss by checking for an existing extraction directory, and a medium-severity suggestion to use asynchronous I/O for best practices in async functions.
|
|
||
| if (fs.existsSync(rootPath) && fs.statSync(rootPath).isFile() && rootPath.endsWith(".zip")) { | ||
| logger.info(`⏳ Unzipping ${rootPath}...`); | ||
| const extractPath = rootPath.slice(0, -4); |
There was a problem hiding this comment.
The current derivation of extractPath by simply removing the last 4 characters from the ZIP file path is highly problematic. If the ZIP file is named .zip, extractPath could resolve to a parent directory (e.g., /home/user/ for /home/user/.zip), leading to a critical path traversal vulnerability (Zip Slip). This allows files from the archive to be extracted into unintended locations, potentially overwriting sensitive files like .bashrc or SSH keys. Additionally, the isChildDir check in src/unzip.ts is vulnerable to a prefix bypass, allowing writes to sibling directories. This also creates a risk of data loss or corrupted state if an existing directory is overwritten. To remediate, ensure extractPath is always a dedicated, newly created directory, use robust path validation (e.g., path.relative), and consider checking for and preventing overwrites of existing directories, prompting the user to remove them first.
| if (fs.existsSync(rootPath) && fs.statSync(rootPath).isFile() && rootPath.endsWith(".zip")) { | ||
| logger.info(`⏳ Unzipping ${rootPath}...`); | ||
| const extractPath = rootPath.slice(0, -4); | ||
| await unzip(rootPath, extractPath); |
There was a problem hiding this comment.
The unzip function called here buffers the entire ZIP archive into memory using fs.promises.readFile. For large archives, this can lead to memory exhaustion and crash the process. Additionally, the extraction process lacks protection against Zip Bombs (highly compressed files that expand to huge sizes), which can lead to disk space exhaustion.
Consider using a streaming ZIP parser to process entries without buffering the entire file, and implement limits on the uncompressed size of extracted files.
| const extractedItems = fs.readdirSync(extractPath); | ||
| if ( | ||
| extractedItems.length === 1 && | ||
| fs.statSync(path.join(extractPath, extractedItems[0])).isDirectory() | ||
| ) { | ||
| rootPath = path.join(extractPath, extractedItems[0]); | ||
| } else { | ||
| rootPath = extractPath; | ||
| } |
There was a problem hiding this comment.
The action function is async, so it's a good practice to use asynchronous file system operations instead of synchronous ones like fs.readdirSync and fs.statSync to avoid blocking the Node.js event loop.
const extractedItems = await fs.promises.readdir(extractPath);
if (extractedItems.length === 1) {
const potentialRoot = path.join(extractPath, extractedItems[0]);
try {
if ((await fs.promises.stat(potentialRoot)).isDirectory()) {
rootPath = potentialRoot;
} else {
rootPath = extractPath;
}
} catch {
// If stat fails (e.g. broken symlink), fall back to using the extract path.
rootPath = extractPath;
}
} else {
rootPath = extractPath;
}
* Add export from zip support' * Emojis are fun * More minor fixes
3 participants
Description
Add support for running this command against a zip file.