7z Archive Rules

Detects traversal, decompression bombs, and unsafe links in 7z archives used for model bundles.

Definition

The 7Z rule family turns findings on this surface into actionable records with rule ID, severity, CWE, OWASP LLM mapping, owner, release decision, and retest command.

Model releases are often distributed as archives. Extraction bugs can overwrite files, hide payloads, or exhaust disk and memory.

Canonical help URL

Supported inputs

.7z
.7zip

Typical attack scenarios

A 7z archive writes a file outside the extraction directory.
A compressed model bundle expands to extreme size.
A symlink inside the archive redirects a model file path.

Detection logic

Sentinel ties 7Z evidence to reproducible signals such as file path, metadata, opcode, AST node, manifest field, dependency, or archive entry. The same signal should disappear when the finding is closed.

Triage

Do not read 7Z findings as scanner noise. Verify the evidence first, map the finding to a severity-based release decision, and then produce closure evidence with the same Sentinel command.

Operational checklist

Source: where did the file, manifest, prompt, archive, or dependency come from?
Impact: code execution, data leakage, supply chain, or resource consumption?
Control: allowlist, hash, sandbox, egress policy, or secret rotation?
Evidence: does the same rule category return clean after the fix?

Remediation

Remediation should change the risk boundary, not merely silence the finding: remove executable formats, pin source or hash, narrow tool permissions, rotate secrets, or add runtime sandboxing.

CI policy

sentinel-policy.yml

category: 7Z
fail_on:
  - CRITICAL
  - HIGH
ticket_on:
  - MEDIUM
retest: "sentinel artifact ./models/ --rule 7Z"

Rule index

Rule ID	Severity	Title	CWE	Fix Hint
7Z-PATH-TRAVERSAL	HIGH	7z Path Traversal	CWE-22	Block archive entries that resolve outside the destination root.
7Z-BOMB	HIGH	7z Decompression Bomb	CWE-409	Cap archive extraction size and nesting depth.
7Z-SYMLINK-ESCAPE	MEDIUM	7z Symlink Escape	CWE-59	Treat archive links as untrusted paths.

7Z-PATH-TRAVERSAL — 7z Path Traversal

HIGH

Rule ID	7Z-PATH-TRAVERSAL
Category	7Z
Severity	HIGH
CWE	CWE-22
OWASP LLM	LLM03 — Supply Chain
FP Risk	LOW
Owner	AI/ML platform or model release owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Detects archive entries that escape the intended extraction directory.

Why it matters

Model releases are often distributed as archives. Extraction bugs can overwrite files, hide payloads, or exhaust disk and memory.

When it fires

Sentinel fires this rule in the 7Z category when it sees entry path contains ../, absolute path prefixes, drive names, or normalized path escapes.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Entry path contains ../, absolute path prefixes, drive names, or normalized path escapes.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is low. If evidence points directly to a file, opcode, secret pattern, path, or manifest field, treat it as real and require closure evidence.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: Entry path contains ../, absolute path prefixes, drive names, or normalized path escapes.
Closure: sentinel artifact ./models/ --rule 7Z must return clean output.

How to fix

Reject the archive and extract only after path normalization in a sandbox.

CLI

sentinel artifact ./models/ --rule 7Z

Policy example

sentinel-policy.yml

rules:
  7Z-PATH-TRAVERSAL:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule 7Z"

Expected output

7Z-PATH-TRAVERSAL HIGH
7z Path Traversal
Block archive entries that resolve outside the destination root.

Example

Bad

archive entry: ../../.ssh/authorized_keys

Good

archive entry: models/encoder/model.safetensors
# normalized under extraction root

Related rules

7Z-BOMB: 7z Decompression Bomb
7Z-SYMLINK-ESCAPE: 7z Symlink Escape

7Z-BOMB — 7z Decompression Bomb

HIGH

Rule ID	7Z-BOMB
Category	7Z
Severity	HIGH
CWE	CWE-409
OWASP LLM	LLM10 — Unbounded Consumption
FP Risk	MEDIUM
Owner	AI/ML platform or model release owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Flags extreme compressed-to-uncompressed ratios or nested structures that can exhaust disk, CPU, or memory.

Why it matters

Model releases are often distributed as archives. Extraction bugs can overwrite files, hide payloads, or exhaust disk and memory.

When it fires

Sentinel fires this rule in the 7Z category when it sees expansion ratio, total unpacked size, or entry count exceeds configured scan policy.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Expansion ratio, total unpacked size, or entry count exceeds configured scan policy.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: Expansion ratio, total unpacked size, or entry count exceeds configured scan policy.
Closure: sentinel artifact ./models/ --rule 7Z must return clean output.

How to fix

Set extraction quotas and require large model bundles to use signed manifests with expected sizes.

CLI

sentinel artifact ./models/ --rule 7Z

Policy example

sentinel-policy.yml

rules:
  7Z-BOMB:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule 7Z"

Expected output

7Z-BOMB HIGH
7z Decompression Bomb
Cap archive extraction size and nesting depth.

Example

Bad

archive entry: ../../.ssh/authorized_keys

Good

archive entry: models/encoder/model.safetensors
# normalized under extraction root

Related rules

7Z-PATH-TRAVERSAL: 7z Path Traversal
7Z-SYMLINK-ESCAPE: 7z Symlink Escape

7Z-SYMLINK-ESCAPE — 7z Symlink Escape

MEDIUM

Rule ID	7Z-SYMLINK-ESCAPE
Category	7Z
Severity	MEDIUM
CWE	CWE-59
OWASP LLM	LLM03 — Supply Chain
FP Risk	MEDIUM
Owner	AI/ML platform or model release owner
Release decision	Assign an owner, fix within the sprint, and attach the retest command to the issue.

Description

Detects symlink entries that resolve outside the extraction root or point to sensitive filesystem locations.

Why it matters

Model releases are often distributed as archives. Extraction bugs can overwrite files, hide payloads, or exhaust disk and memory.

When it fires

Sentinel fires this rule in the 7Z category when it sees archive link metadata targets absolute paths, parent traversal, or protected directories.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Archive link metadata targets absolute paths, parent traversal, or protected directories.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Assign an owner, fix within the sprint, and attach the retest command to the issue.
Evidence: Archive link metadata targets absolute paths, parent traversal, or protected directories.
Closure: sentinel artifact ./models/ --rule 7Z must return clean output.

How to fix

Disable symlink extraction for untrusted archives or validate link targets before extraction.

CLI

sentinel artifact ./models/ --rule 7Z

Policy example

sentinel-policy.yml

rules:
  7Z-SYMLINK-ESCAPE:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule 7Z"

Expected output

7Z-SYMLINK-ESCAPE MEDIUM
7z Symlink Escape
Treat archive links as untrusted paths.

Example

Bad

archive entry: ../../.ssh/authorized_keys

Good

archive entry: models/encoder/model.safetensors
# normalized under extraction root

Related rules

7Z-PATH-TRAVERSAL: 7z Path Traversal
7Z-BOMB: 7z Decompression Bomb

References

PreviousOCI NextManifest