Context
From a security review of the moox/kosit-validator install path. kosit:install downloads the validator JAR and the XRechnung config zip and later executes the JAR via java -jar; today the download is only status/size-checked and the zip is extracted without entry validation — a remote-code-execution chain (compromised/MITM'd/misconfigured download → executed code). Same risk class already being hardened for veraPDF in mooxphp/verapdf#3. Privileged-CLI only, but impact is code execution.
What to build
kosit:install only ever installs and runs artifacts it has verified, extracted safely, and selected deterministically — so a tampered download or crafted archive cannot lead to code execution.
Acceptance criteria
Blocked by
None — can start immediately.
Context
From a security review of the
moox/kosit-validatorinstall path.kosit:installdownloads the validator JAR and the XRechnung config zip and later executes the JAR viajava -jar; today the download is only status/size-checked and the zip is extracted without entry validation — a remote-code-execution chain (compromised/MITM'd/misconfigured download → executed code). Same risk class already being hardened for veraPDF in mooxphp/verapdf#3. Privileged-CLI only, but impact is code execution.What to build
kosit:installonly ever installs and runs artifacts it has verified, extracted safely, and selected deterministically — so a tampered download or crafted archive cannot lead to code execution.Acceptance criteria
../absolute-path escape.glob()match, so a stray or planted jar in the directory cannot be the one executed.Blocked by
None — can start immediately.