entrypoint-aws-batch: Keep ../ path parts in ZIP archive members during extraction

tsibley · tsibley · commit b75904999a23 · 2025-02-12T16:11:25.000-08:00
The default of stripping ../ parts in member paths is a (good!)
restriction for safety and security, but such paths do not pose any
(additional) risk in the context of our Nextstrain runtime containers.
We're already downloading and executing arbitrary user-supplied code, so
the ability to overwrite system files with ZIP archive members is not
any additional privilege.

Keeping the ../ parts will allow Nextstrain CLI to construct ZIP archives
for jobs which write to sibling paths of /nextstrain/build in the
container.  This will be used for including pathogen workflow source
separate (e.g. in /nextstrain/pathogen) from the analysis working
directory (/nextstrain/build).  As a side-effect, thanks to the -o
(overwrite) option, this will also allow Nextstrain CLI's --augur,
--auspice, etc. overlays to start working with AWS Batch when previously
they did not.

Note that Nextstrain CLI does *not* permit ../ path parts when
extracting from these same ZIP archives (e.g. after a job completes to
download results), as that *would* be additional risk.  Currently it
strips ../ parts, like unzip's default behaviour, but that will change
soon to entirely skip archive members containing ../ parts.
diff --git a/entrypoint-aws-batch b/entrypoint-aws-batch
@@ -8,7 +8,7 @@ set -x
 case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
     s3://*.zip)
         aws s3 cp --no-progress "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" "$PWD.zip"
-        unzip "$PWD.zip"
+        unzip -: -o "$PWD.zip"
         ;;
     s3://*)
         # Note that this doesn't preserve file permissions/modes.
