Archive security restrictions when publishing artifacts to Talend Cloud
Talend Cloud
validates artifact archives against security rules when the archives are published from
Talend Studio
to Talend Cloud.
Talend Cloud has built-in protection against ZIP attacks such as ZIP Slip, ZIP Symlink, or denial-of-service attacks during archive publication. Qlik enforces these security rules; you cannot configure them.
If the archive violates a security rule, Talend Cloud rejects the archive. Talend Studio or your continuous integration/continuous delivery (CI/CD) pipeline then returns a Bad Request error.
Invalid archive entry names
Talend Cloud rejects the archive if any entry name:
- Contains .. (path traversal sequences)
- Contains a backslash (\)
- Starts with / or \ (absolute path)
The following are examples of invalid entry names:
../app.jar
a/../../b.txt
/root/secret.txt
\\temp\\a.txt
folder\\file.txt
C:\\temp\\a.txt
..\\evil.sh
/../etc/passwd
a/b/../c.txt
a/b/ddd..jarArchive size and structure limits
The following limits apply to the artifact archive.
| Safeguard limit | Value |
|---|---|
| Maximum length of the artifact ID (base name, not including the file extension). | 200 characters |
| Maximum nesting depth of folders inside the archive. | 64 levels |
| Maximum length of any individual file or folder name inside the archive. | 240 characters |
| Maximum total number of files and folders inside the archive. | 4096 |
| Maximum uncompressed size of a single file inside the archive. | 1000 MB |
| Maximum total uncompressed size of all files inside the archive. | 5 GB |
| Maximum compressed size of all files inside the archive | 1500 MB |
Information noteNote: A second layer of size and structure limits applies when an artifact
archive is deployed on an execution server. Unlike the publication limits, these
server-level limits are configurable:
- Dynamic Engine: Configuring Job size limits for Dynamic Engine environments.
- Talend Remote Engine: Improving security against malicious archive content.