Compressed Archive Rules

Detects unsafe compressed archives across ZIP, tar, gzip, xz, and nested model bundles.

Definition

The Compressed rule family turns findings on this surface into actionable records with rule ID, severity, CWE, OWASP LLM mapping, owner, release decision, and retest command.

Compressed bundles are a common way to move datasets, checkpoints, notebooks, and model releases. Extraction is part of the supply chain.

Canonical help URL

Supported inputs

.zip
.tar
.tar.gz
.tgz
.xz
.gz
.bz2

Typical attack scenarios

A ZIP writes files outside the extraction root.
A nested archive recursively expands until the runner is exhausted.
A tar entry changes file ownership or permissions unexpectedly.

Detection logic

Sentinel ties Compressed evidence to reproducible signals such as file path, metadata, opcode, AST node, manifest field, dependency, or archive entry. The same signal should disappear when the finding is closed.

Triage

Do not read Compressed findings as scanner noise. Verify the evidence first, map the finding to a severity-based release decision, and then produce closure evidence with the same Sentinel command.

Operational checklist

Source: where did the file, manifest, prompt, archive, or dependency come from?
Impact: code execution, data leakage, supply chain, or resource consumption?
Control: allowlist, hash, sandbox, egress policy, or secret rotation?
Evidence: does the same rule category return clean after the fix?

Remediation

Remediation should change the risk boundary, not merely silence the finding: remove executable formats, pin source or hash, narrow tool permissions, rotate secrets, or add runtime sandboxing.

CI policy

sentinel-policy.yml

category: COMPRESSED
fail_on:
  - CRITICAL
  - HIGH
ticket_on:
  - MEDIUM
retest: "sentinel artifact ./models/ --rule COMPRESSED"

Rule index

Rule ID	Severity	Title	CWE	Fix Hint
COMPRESSED-ZIP-SLIP	HIGH	Compressed Archive Path Traversal	CWE-22	Normalize archive paths before extraction.
COMPRESSED-DECOMPRESSION-BOMB	HIGH	Decompression Bomb	CWE-409	Limit archive expansion and file counts.
COMPRESSED-NESTED-DEPTH	MEDIUM	Excessive Nested Archive Depth	CWE-400	Avoid deeply nested model bundles.

COMPRESSED-ZIP-SLIP — Compressed Archive Path Traversal

HIGH

Rule ID	COMPRESSED-ZIP-SLIP
Category	COMPRESSED
Severity	HIGH
CWE	CWE-22
OWASP LLM	LLM03 — Supply Chain
FP Risk	LOW
Owner	AI/ML platform or model release owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Detects compressed archive entries that escape the destination root after path normalization.

Why it matters

Compressed bundles are a common way to move datasets, checkpoints, notebooks, and model releases. Extraction is part of the supply chain.

When it fires

Sentinel fires this rule in the Compressed category when it sees archive member path contains traversal, absolute path, or platform-specific escape prefixes.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Archive member path contains traversal, absolute path, or platform-specific escape prefixes.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is low. If evidence points directly to a file, opcode, secret pattern, path, or manifest field, treat it as real and require closure evidence.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: Archive member path contains traversal, absolute path, or platform-specific escape prefixes.
Closure: sentinel artifact ./models/ --rule COMPRESSED must return clean output.

How to fix

Extract in a sandbox and reject entries whose normalized path leaves the destination directory.

CLI

sentinel artifact ./models/ --rule COMPRESSED

Policy example

sentinel-policy.yml

rules:
  COMPRESSED-ZIP-SLIP:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule COMPRESSED"

Expected output

COMPRESSED-ZIP-SLIP HIGH
Compressed Archive Path Traversal
Normalize archive paths before extraction.

Example

Bad

zip entry: ../../../app/.env

Good

zip entry: model/config.json
# normalized and extracted under a sandbox root

Related rules

COMPRESSED-DECOMPRESSION-BOMB: Decompression Bomb
COMPRESSED-NESTED-DEPTH: Excessive Nested Archive Depth

COMPRESSED-DECOMPRESSION-BOMB — Decompression Bomb

HIGH

Rule ID	COMPRESSED-DECOMPRESSION-BOMB
Category	COMPRESSED
Severity	HIGH
CWE	CWE-409
OWASP LLM	LLM10 — Unbounded Consumption
FP Risk	MEDIUM
Owner	AI/ML platform or model release owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Flags compressed inputs with extreme expansion ratios or declared sizes beyond policy limits.

Why it matters

Compressed bundles are a common way to move datasets, checkpoints, notebooks, and model releases. Extraction is part of the supply chain.

When it fires

Sentinel fires this rule in the Compressed category when it sees compressed size, uncompressed size, file count, or ratio exceeds configured thresholds.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Compressed size, uncompressed size, file count, or ratio exceeds configured thresholds.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: Compressed size, uncompressed size, file count, or ratio exceeds configured thresholds.
Closure: sentinel artifact ./models/ --rule COMPRESSED must return clean output.

How to fix

Set extraction quotas, stream scan large bundles, and require trusted manifests for expected sizes.

CLI

sentinel artifact ./models/ --rule COMPRESSED

Policy example

sentinel-policy.yml

rules:
  COMPRESSED-DECOMPRESSION-BOMB:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule COMPRESSED"

Expected output

COMPRESSED-DECOMPRESSION-BOMB HIGH
Decompression Bomb
Limit archive expansion and file counts.

Example

Bad

zip entry: ../../../app/.env

Good

zip entry: model/config.json
# normalized and extracted under a sandbox root

Related rules

COMPRESSED-ZIP-SLIP: Compressed Archive Path Traversal
COMPRESSED-NESTED-DEPTH: Excessive Nested Archive Depth

COMPRESSED-NESTED-DEPTH — Excessive Nested Archive Depth

MEDIUM

Rule ID	COMPRESSED-NESTED-DEPTH
Category	COMPRESSED
Severity	MEDIUM
CWE	CWE-400
OWASP LLM	LLM10 — Unbounded Consumption
FP Risk	MEDIUM
Owner	AI/ML platform or model release owner
Release decision	Assign an owner, fix within the sprint, and attach the retest command to the issue.

Description

Reports archive nesting deep enough to cause scanner exhaustion or hide payloads.

Why it matters

Compressed bundles are a common way to move datasets, checkpoints, notebooks, and model releases. Extraction is part of the supply chain.

When it fires

Sentinel fires this rule in the Compressed category when it sees archive contains nested archives beyond the configured recursion depth.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Archive contains nested archives beyond the configured recursion depth.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: AI/ML platform or model release owner.
Decision: Assign an owner, fix within the sprint, and attach the retest command to the issue.
Evidence: Archive contains nested archives beyond the configured recursion depth.
Closure: sentinel artifact ./models/ --rule COMPRESSED must return clean output.

How to fix

Flatten trusted releases and configure a maximum recursion depth.

CLI

sentinel artifact ./models/ --rule COMPRESSED

Policy example

sentinel-policy.yml

rules:
  COMPRESSED-NESTED-DEPTH:
    owner: "AI/ML platform or model release owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel artifact ./models/ --rule COMPRESSED"

Expected output

COMPRESSED-NESTED-DEPTH MEDIUM
Excessive Nested Archive Depth
Avoid deeply nested model bundles.

Example

Bad

zip entry: ../../../app/.env

Good

zip entry: model/config.json
# normalized and extracted under a sandbox root

Related rules

COMPRESSED-ZIP-SLIP: Compressed Archive Path Traversal
COMPRESSED-DECOMPRESSION-BOMB: Decompression Bomb

References

PreviousJinja2 NextRAR