Skip to content

Harden kosit:install against untrusted downloads & extraction (checksum + zip-slip + deterministic JAR) #1

Description

@jbagsik

Context

From a security review of the moox/kosit-validator install path. kosit:install downloads the validator JAR and the XRechnung config zip and later executes the JAR via java -jar; today the download is only status/size-checked and the zip is extracted without entry validation — a remote-code-execution chain (compromised/MITM'd/misconfigured download → executed code). Same risk class already being hardened for veraPDF in mooxphp/verapdf#3. Privileged-CLI only, but impact is code execution.

What to build

kosit:install only ever installs and runs artifacts it has verified, extracted safely, and selected deterministically — so a tampered download or crafted archive cannot lead to code execution.

Acceptance criteria

  • The downloaded validator JAR and XRechnung config archive are integrity-verified before use (pinned SHA-256 or signature); a mismatch aborts the install with a clear error and leaves no partial/unverified artifact runnable.
  • Archive extraction rejects any entry that resolves outside the target directory (zip-slip safe) — no ../absolute-path escape.
  • HTTP redirects during download are restricted to HTTPS (no protocol downgrade to plain HTTP).
  • The validator JAR is selected deterministically (expected filename/version), not the first glob() match, so a stray or planted jar in the directory cannot be the one executed.
  • Failure modes are clear and non-destructive; documented: where the expected checksum/signature comes from and how to update it when the pinned version changes.
  • Existing package tests stay green.

Blocked by

None — can start immediately.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ready-for-agentSpec is ready for an agent to implement

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions