Improving security in case of malicious archive content - 8.0

Talend Installation Guide

Version
8.0
Language
English
Operating system
Windows
Subscription type
Subscription
Product
Talend Big Data
Talend Big Data Platform
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
Module
Talend Activity Monitoring Console
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend Data Preparation
Talend Data Stewardship
Talend ESB
Talend Identity and Access Management
Talend Installer
Talend JobServer
Talend LogServer
Talend MDM Server
Talend MDM Web UI
Talend Runtime
Talend SAP RFC Server
Talend Studio
Content
Installation and Upgrade
Last publication date
2022-10-30
Available in...

Data Fabric

Data Services Platform

ESB

MDM Platform

Real-Time Big Data Platform

Talend JobServer has built in protection against ZIP Slip and ZIP Symlink attacks. To harden it even more, you can set limits for archive properties in order to protect Talend JobServer against malicious Job archive content.

In case of malicious Job archive content, Denial of Service attacks aiming to break the file system or exhaust disk space might be performed.

To avoid this risk, you can set harder limits for folders and files names, taking into account the space needed for your Job deployments. The default values are stored in the org.talend.remote.jobserver.server.cfg file located in etc directory and are available from a 8.0.1.20221028_0746_patch version of Talend JobServer.

These values should not be higher than the name sizes supported by the file system used for the TalendJobServersFiles folder. If one or various limits are exceeded, an error message is displayed and the deployment is rejected.

The default values for the editable parameters are listed in the following table. These parameters all start with:
org.talend.remote.jobserver.commons.config.JobServerConfiguration.
Parameters to improve security in case of malicious archive content
Parameters Description
MAX_UNZIPPED_SIZE

Maximum size for the archive ZIP file that is being extracted during the deployment.

The default value is of 1 GB.

MAX_ZIPPED_ENTRIES 

Number of entries in the archive file.

The default maximal value is 2048.
MAX_ZIP_NAME_LENGTH

Length of the archive ZIP file name.

The default maximal value is 240 characters.

MAX_UNZIPPED_FOLDER_NAME_LENGTH

Length of folder names inside the archive ZIP file.

The default maximum length of the unzipped folder name is 240 characters.
MAX_UNZIPPED_FILE_NAME_LENGTH

Length of file names inside the archive ZIP file.

The default maximal value is 240 characters.

MAX_ZIP_DEPTH

Depth limit for folders inside the archive ZIP file.

The default value is 64 levels.
MAX_ARCHIVES_DIR_SIZE

Size limit for the sum of all archives stored in TalendJobServersFiles/archiveJobs folder.

The default size limit is 100GB.