Skip to content

Commit

Permalink
entrypoint-aws-batch: Keep ../ path parts in ZIP archive members duri…
Browse files Browse the repository at this point in the history
…ng extraction

The default of stripping ../ parts in member paths is a (good!)
restriction for safety and security, but such paths do not pose any
(additional) risk in the context of our Nextstrain runtime containers.
We're already downloading and executing arbitrary user-supplied code, so
the ability to overwrite system files with ZIP archive members is not
any additional privilege.

Keeping the ../ parts will allow Nextstrain CLI to construct ZIP archives
for jobs which write to sibling paths of /nextstrain/build in the
container.  This will be used for including pathogen workflow source
separate (e.g. in /nextstrain/pathogen) from the analysis working
directory (/nextstrain/build).  As a side-effect, thanks to the -o
(overwrite) option, this will also allow Nextstrain CLI's --augur,
--auspice, etc. overlays to start working with AWS Batch when previously
they did not.

Note that Nextstrain CLI does *not* permit ../ path parts when
extracting from these same ZIP archives (e.g. after a job completes to
download results), as that *would* be additional risk.  Currently it
strips ../ parts, like unzip's default behaviour, but that will change
soon to entirely skip archive members containing ../ parts.
  • Loading branch information
tsibley committed Feb 13, 2025
1 parent 3ea8f75 commit b759049
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion entrypoint-aws-batch
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ set -x
case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
s3://*.zip)
aws s3 cp --no-progress "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" "$PWD.zip"
unzip "$PWD.zip"
unzip -: -o "$PWD.zip"
;;
s3://*)
# Note that this doesn't preserve file permissions/modes.
Expand Down

0 comments on commit b759049

Please sign in to comment.