Improving security in case of malicious archive content - Cloud

Talend Cloud Installation and Upgrade Guide

Version
Cloud
Language
English
Operating system
Windows
Product
Talend Cloud
Module
Talend Artifact Repository
Talend Data Stewardship
Talend Management Console
Talend Remote Engine
Talend SAP RFC Server
Talend Studio
Content
Installation and Upgrade
Last publication date
2024-04-23
Available in...

Cloud API Services Platform

Cloud Data Fabric

Talend JobServer has built in protection against ZIP Slip and ZIP Symlink attacks. To harden it even more, you can set limits for archive properties in order to protect Talend JobServer against malicious Job archive content.

In case of malicious Job archive content, Denial of Service attacks aiming to break the file system or exhaust disk space might be performed.

To avoid this risk, you can set harder limits for folders and files names, taking into account the space needed for your Job deployments. The default values are stored in the org.talend.remote.jobserver.server.cfg file located in etc directory.

These values should not be higher than the name sizes supported by the file system used for the TalendJobServersFiles folder. If one or various limits are exceeded, an error message is displayed and the deployment is rejected.

The default values for the editable parameters are listed in the following table. These parameters all start with:
org.talend.remote.jobserver.commons.config.JobServerConfiguration.
Parameters to improve security in case of malicious archive content
Parameters Description
MAX_UNZIPPED_SIZE

Maximum size for the archive ZIP file that is being extracted during the deployment.

The default value is of 1 GB.

MAX_ZIPPED_ENTRIES 

Number of entries in the archive file.

The default maximal value is 2048.
MAX_ZIP_NAME_LENGTH

Length of the archive ZIP file name.

The default maximal value is 240 characters.

MAX_UNZIPPED_FOLDER_NAME_LENGTH

Length of folder names inside the archive ZIP file.

The default maximum length of the unzipped folder name is 240 characters.
MAX_UNZIPPED_FILE_NAME_LENGTH

Length of file names inside the archive ZIP file.

The default maximal value is 240 characters.

MAX_ZIP_DEPTH

Depth limit for folders inside the archive ZIP file.

The default value is 64 levels.
MAX_ARCHIVES_DIR_SIZE

Size limit for the sum of all archives stored in TalendJobServersFiles/archiveJobs folder.

The default size limit is 100GB.