Merge remote-tracking branch 'origin/dev'

.github/workflows/analysis.yml

@@ -15,7 +15,8 @@ jobs:
       - name: Static Code Analysis
         uses: golangci/golangci-lint-action@v3
         with:
-          args: -E=errcheck,gosimple,govet,ineffassign,staticcheck,typecheck,unused,gocritic,asasalint,asciicheck,errchkjson,errname,exportloopref,forcetypeassert,makezero,nilerr,unparam,unconvert,wastedassign,usestdlibvars --timeout=5m
+          args: |
+            --timeout 5m --out-${NO_FUTURE}format colored-line-number --enable errcheck,gosimple,govet,ineffassign,staticcheck,typecheck,unused,gocritic,asasalint,asciicheck,errchkjson,exportloopref,forcetypeassert,makezero,nilerr,unparam,unconvert,wastedassign,usestdlibvars 
 
 
   Go-Sec:

.github/workflows/frogbot-fix.yml → .github/workflows/frogbot-scan-and-fix.yml

@@ -1,8 +1,17 @@
-name: "Frogbot Fix"
+name: "Frogbot Scan and Fix"
 on:
   push:
+    # Creating fix pull requests will be triggered by any push to one of the these branches.
+    # You can add or replace to any branch you want to open fix pull requests for.
     branches:
       - 'dev'
+  schedule:
+    # The job will run once a day at 00:00 GMT.
+    - cron: "0 0 * * *"
+permissions:
+  contents: write
+  pull-requests: write
+  security-events: write
 jobs:
   frogbot:
     runs-on: ubuntu-latest

artifactory/services/download.go

@@ -381,7 +381,7 @@ func (ds *DownloadService) downloadFile(downloadFileDetails *httpclient.Download
 	if bulkDownload {
 		var resp *http.Response
 		resp, err := ds.client.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, &httpClientsDetails,
-			downloadParams.IsExplode(), ds.Progress)
+			downloadParams.IsExplode(), downloadParams.IsBypassArchiveInspection(), ds.Progress)
 		if err != nil {
 			return err
 		}
@@ -547,7 +547,7 @@ func (ds *DownloadService) downloadFileIfNeeded(downloadPath, localPath, localFi
 	if isEqual {
 		log.Debug(logMsgPrefix, "File already exists locally.")
 		if downloadParams.IsExplode() {
-			e = clientutils.ExtractArchive(localPath, localFileName, downloadData.Dependency.Name, logMsgPrefix)
+			e = clientutils.ExtractArchive(localPath, localFileName, downloadData.Dependency.Name, logMsgPrefix, downloadParams.IsBypassArchiveInspection())
 		}
 		return e
 	}
@@ -589,14 +589,15 @@ type DownloadData struct {
 
 type DownloadParams struct {
 	*utils.CommonParams
-	Symlink         bool
-	ValidateSymlink bool
-	Flat            bool
-	Explode         bool
-	MinSplitSize    int64
-	SplitCount      int
-	PublicGpgKey    string
-	SkipChecksum    bool
+	Symlink                 bool
+	ValidateSymlink         bool
+	Flat                    bool
+	Explode                 bool
+	BypassArchiveInspection bool
+	MinSplitSize            int64
+	SplitCount              int
+	PublicGpgKey            string
+	SkipChecksum            bool
 }
 
 func (ds *DownloadParams) IsFlat() bool {
@@ -607,6 +608,10 @@ func (ds *DownloadParams) IsExplode() bool {
 	return ds.Explode
 }
 
+func (ds *DownloadParams) IsBypassArchiveInspection() bool {
+	return ds.BypassArchiveInspection
+}
+
 func (ds *DownloadParams) GetFile() *utils.CommonParams {
 	return ds.CommonParams
 }

go.mod

@@ -9,8 +9,8 @@ require (
 	github.com/go-git/go-git/v5 v5.6.1
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/gookit/color v1.5.3
-	github.com/jfrog/build-info-go v1.9.2
-	github.com/jfrog/gofrog v1.2.5
+	github.com/jfrog/build-info-go v1.9.3
+	github.com/jfrog/gofrog v1.3.0
 	github.com/mholt/archiver/v3 v3.5.1
 	github.com/stretchr/testify v1.8.2
 	github.com/xanzy/ssh-agent v0.3.3
@@ -57,4 +57,4 @@ require (
 
 // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230418123708-71a0dbbcb331
 
-// replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.5-0.20221107113836-a4c9225c690e
+// replace github.com/jfrog/gofrog => github.com/jfrog/gofrog dev

go.sum

@@ -55,10 +55,10 @@ github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
-github.com/jfrog/build-info-go v1.9.2 h1:gSX9PH3whFcAMtM9dlPxRE7u9YuYcx8IkfVXQKRjWw0=
-github.com/jfrog/build-info-go v1.9.2/go.mod h1:hHXyLsG0SW1jQa4g6q8x2LGAvvX/MMqWVFTcIUAF2PI=
-github.com/jfrog/gofrog v1.2.5 h1:jCgJC0iGQ8bU7jCC+YEFJTNINyngApIrhd8BjZAVRIE=
-github.com/jfrog/gofrog v1.2.5/go.mod h1:o00tSRff6IapTgaCMuX1Cs9MH08Y1JqnsKgRtx91Gc4=
+github.com/jfrog/build-info-go v1.9.3 h1:ZpVcNM4hH+r6dK0ERdSNaizuZALPgSdE29Da1Iki1fo=
+github.com/jfrog/build-info-go v1.9.3/go.mod h1:GbuFS+viHCKZYx9nWHYu7ab1DgQkFdtVN3BJPUNb2D4=
+github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk=
+github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=

http/httpclient/client.go

@@ -326,31 +326,31 @@ func (jc *HttpClient) ReadRemoteFile(downloadPath string, httpClientsDetails htt
 // Bulk downloads a file.
 // You may implement the log.Progress interface, or pass nil to run without progress display.
 func (jc *HttpClient) DownloadFileWithProgress(downloadFileDetails *DownloadFileDetails, logMsgPrefix string,
-	httpClientsDetails httputils.HttpClientDetails, isExplode bool, progress ioutils.ProgressMgr) (*http.Response, error) {
-	resp, _, err := jc.downloadFile(downloadFileDetails, logMsgPrefix, true, httpClientsDetails, isExplode, progress)
+	httpClientsDetails httputils.HttpClientDetails, isExplode, isBypassArchiveInspection bool, progress ioutils.ProgressMgr) (*http.Response, error) {
+	resp, _, err := jc.downloadFile(downloadFileDetails, logMsgPrefix, true, httpClientsDetails, isExplode, isBypassArchiveInspection, progress)
 	return resp, err
 }
 
 // Bulk downloads a file.
 func (jc *HttpClient) DownloadFile(downloadFileDetails *DownloadFileDetails, logMsgPrefix string,
-	httpClientsDetails httputils.HttpClientDetails, isExplode bool) (*http.Response, error) {
-	return jc.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, httpClientsDetails, isExplode, nil)
+	httpClientsDetails httputils.HttpClientDetails, isExplode, bypassArchiveInspection bool) (*http.Response, error) {
+	return jc.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, httpClientsDetails, isExplode, bypassArchiveInspection, nil)
 }
 
 func (jc *HttpClient) DownloadFileNoRedirect(downloadPath, localPath, fileName string, httpClientsDetails httputils.HttpClientDetails) (*http.Response, string, error) {
 	downloadFileDetails := &DownloadFileDetails{DownloadPath: downloadPath, LocalPath: localPath, FileName: fileName}
-	return jc.downloadFile(downloadFileDetails, "", false, httpClientsDetails, false, nil)
+	return jc.downloadFile(downloadFileDetails, "", false, httpClientsDetails, false, false, nil)
 }
 
 func (jc *HttpClient) downloadFile(downloadFileDetails *DownloadFileDetails, logMsgPrefix string, followRedirect bool,
-	httpClientsDetails httputils.HttpClientDetails, isExplode bool, progress ioutils.ProgressMgr) (resp *http.Response, redirectUrl string, err error) {
+	httpClientsDetails httputils.HttpClientDetails, isExplode, bypassArchiveInspection bool, progress ioutils.ProgressMgr) (resp *http.Response, redirectUrl string, err error) {
 	retryExecutor := utils.RetryExecutor{
 		MaxRetries:               jc.retries,
 		RetriesIntervalMilliSecs: jc.retryWaitMilliSecs,
 		ErrorMessage:             fmt.Sprintf("Failure occurred while downloading %s", downloadFileDetails.DownloadPath),
 		LogMsgPrefix:             logMsgPrefix,
 		ExecutionHandler: func() (bool, error) {
-			resp, redirectUrl, err = jc.doDownloadFile(downloadFileDetails, logMsgPrefix, followRedirect, httpClientsDetails, isExplode, progress)
+			resp, redirectUrl, err = jc.doDownloadFile(downloadFileDetails, logMsgPrefix, followRedirect, httpClientsDetails, isExplode, bypassArchiveInspection, progress)
 			// In case followRedirect is 'false' and doDownloadFile did redirect, an error is returned and redirectUrl
 			// receives the redirect address. This case should not retry.
 			if err != nil && !followRedirect && redirectUrl != "" {
@@ -379,7 +379,7 @@ func (jc *HttpClient) downloadFile(downloadFileDetails *DownloadFileDetails, log
 }
 
 func (jc *HttpClient) doDownloadFile(downloadFileDetails *DownloadFileDetails, logMsgPrefix string, followRedirect bool,
-	httpClientsDetails httputils.HttpClientDetails, isExplode bool, progress ioutils.ProgressMgr) (resp *http.Response, redirectUrl string, err error) {
+	httpClientsDetails httputils.HttpClientDetails, isExplode, bypassArchiveInspection bool, progress ioutils.ProgressMgr) (resp *http.Response, redirectUrl string, err error) {
 	resp, redirectUrl, err = jc.sendGetForFileDownload(downloadFileDetails.DownloadPath, followRedirect, httpClientsDetails, "")
 	if err != nil {
 		return
@@ -404,7 +404,7 @@ func (jc *HttpClient) doDownloadFile(downloadFileDetails *DownloadFileDetails, l
 
 	// Extract archive.
 	if isExplode {
-		err = utils.ExtractArchive(downloadFileDetails.LocalPath, downloadFileDetails.LocalFileName, downloadFileDetails.FileName, logMsgPrefix)
+		err = utils.ExtractArchive(downloadFileDetails.LocalPath, downloadFileDetails.LocalFileName, downloadFileDetails.FileName, logMsgPrefix, bypassArchiveInspection)
 	}
 	return
 }
@@ -517,7 +517,7 @@ func (jc *HttpClient) DownloadFileConcurrently(flags ConcurrentDownloadFlags, lo
 	}
 
 	if flags.Explode {
-		if err = utils.ExtractArchive(flags.LocalPath, flags.LocalFileName, flags.FileName, logMsgPrefix); err != nil {
+		if err = utils.ExtractArchive(flags.LocalPath, flags.LocalFileName, flags.FileName, logMsgPrefix, flags.BypassArchiveInspection); err != nil {
 			return
 		}
 	}
@@ -798,14 +798,15 @@ type DownloadFileDetails struct {
 }
 
 type ConcurrentDownloadFlags struct {
-	FileName      string
-	DownloadPath  string
-	RelativePath  string
-	LocalFileName string
-	LocalPath     string
-	ExpectedSha1  string
-	FileSize      int64
-	SplitCount    int
-	Explode       bool
-	SkipChecksum  bool
+	FileName                string
+	DownloadPath            string
+	RelativePath            string
+	LocalFileName           string
+	LocalPath               string
+	ExpectedSha1            string
+	FileSize                int64
+	SplitCount              int
+	Explode                 bool
+	BypassArchiveInspection bool
+	SkipChecksum            bool
 }

http/jfroghttpclient/client.go

@@ -118,17 +118,17 @@ func (rtc *JfrogHttpClient) ReadRemoteFile(downloadPath string, httpClientsDetai
 }
 
 func (rtc *JfrogHttpClient) DownloadFileWithProgress(downloadFileDetails *httpclient.DownloadFileDetails, logMsgPrefix string,
-	httpClientsDetails *httputils.HttpClientDetails, isExplode bool, progress ioutils.ProgressMgr) (resp *http.Response, err error) {
+	httpClientsDetails *httputils.HttpClientDetails, isExplode, bypassArchiveInspection bool, progress ioutils.ProgressMgr) (resp *http.Response, err error) {
 	err = rtc.runPreRequestInterceptors(httpClientsDetails)
 	if err != nil {
 		return
 	}
-	return rtc.httpClient.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, *httpClientsDetails, isExplode, progress)
+	return rtc.httpClient.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, *httpClientsDetails, isExplode, bypassArchiveInspection, progress)
 }
 
 func (rtc *JfrogHttpClient) DownloadFile(downloadFileDetails *httpclient.DownloadFileDetails, logMsgPrefix string,
-	httpClientsDetails *httputils.HttpClientDetails, isExplode bool) (resp *http.Response, err error) {
-	return rtc.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, httpClientsDetails, isExplode, nil)
+	httpClientsDetails *httputils.HttpClientDetails, isExplode, bypassArchiveInspection bool) (resp *http.Response, err error) {
+	return rtc.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, httpClientsDetails, isExplode, bypassArchiveInspection, nil)
 }
 
 func (rtc *JfrogHttpClient) DownloadFileConcurrently(flags httpclient.ConcurrentDownloadFlags,

utils/archiveutils.go

@@ -1,21 +1,26 @@
 package utils
 
 import (
-	"github.com/jfrog/jfrog-client-go/utils/errorutils"
-	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
-	"github.com/jfrog/jfrog-client-go/utils/log"
 	"os"
 	"path/filepath"
 	"strings"
+
+	"github.com/jfrog/gofrog/unarchive"
+	"github.com/jfrog/jfrog-client-go/utils/errorutils"
+	"github.com/jfrog/jfrog-client-go/utils/log"
 )
 
 // localPath - The path of the downloaded archive file.
-// localFileName - name of the archive file.
-// originFileName - name of the archive file in Artifactory.
-// logMsgPrefix - prefix log message.
+// localFileName - The name of the archive file.
+// originFileName - The name of the archive file in Artifactory.
+// logMsgPrefix - A prefix to the log message.
+// bypassInspection - Set to true to bypass archive inspection against ZipSlip
 // Extract an archive file to the 'localPath'.
-func ExtractArchive(localPath, localFileName, originFileName, logMsgPrefix string) error {
-	if !fileutils.IsSupportedArchive(originFileName) {
+func ExtractArchive(localPath, localFileName, originFileName, logMsgPrefix string, bypassInspection bool) error {
+	unarchiver := &unarchive.Unarchiver{
+		BypassInspection: bypassInspection,
+	}
+	if !unarchiver.IsSupportedArchive(originFileName) {
 		return nil
 	}
 	extractionPath, err := getExtractionPath(localPath)
@@ -37,13 +42,12 @@ func ExtractArchive(localPath, localFileName, originFileName, logMsgPrefix strin
 		return err
 	}
 	log.Info(logMsgPrefix+"Extracting archive:", archivePath, "to", extractionPath)
-	return extract(archivePath, originFileName, extractionPath)
+	return errorutils.CheckError(extract(archivePath, originFileName, extractionPath, unarchiver))
 }
 
-func extract(localFilePath, originArchiveName, extractionPath string) error {
-	err := fileutils.Unarchive(localFilePath, originArchiveName, extractionPath)
-	if err != nil {
-		return err
+func extract(localFilePath, originArchiveName, extractionPath string, unarchiver *unarchive.Unarchiver) error {
+	if err := unarchiver.Unarchive(localFilePath, originArchiveName, extractionPath); err != nil{
+		return errorutils.CheckError(err)
 	}
 	// If the file was extracted successfully, remove it from the file system
 	return errorutils.CheckError(os.Remove(localFilePath))