RAR Archive Rules
Detects traversal, decompression bombs, and opaque encrypted payloads in RAR archives.
The RAR rule family turns findings on this surface into actionable records with rule ID, severity, CWE, OWASP LLM mapping, owner, release decision, and retest command.
RAR archives are less common in CI pipelines and often require additional tooling. Treating them as opaque can hide payloads in model transfers.
Supported inputs
.rar
Typical attack scenarios
- A RAR archive attempts path traversal during extraction.
- An encrypted archive bypasses content inspection.
- A compressed payload exhausts scanner resources.
Detection logic
Sentinel ties RAR evidence to reproducible signals such as file path, metadata, opcode, AST node, manifest field, dependency, or archive entry. The same signal should disappear when the finding is closed.
Triage
Do not read RAR findings as scanner noise. Verify the evidence first, map the finding to a severity-based release decision, and then produce closure evidence with the same Sentinel command.
- Source: where did the file, manifest, prompt, archive, or dependency come from?
- Impact: code execution, data leakage, supply chain, or resource consumption?
- Control: allowlist, hash, sandbox, egress policy, or secret rotation?
- Evidence: does the same rule category return clean after the fix?
Remediation
Remediation should change the risk boundary, not merely silence the finding: remove executable formats, pin source or hash, narrow tool permissions, rotate secrets, or add runtime sandboxing.
CI policy
category: RAR
fail_on:
- CRITICAL
- HIGH
ticket_on:
- MEDIUM
retest: "sentinel artifact ./models/ --rule RAR"Rule index
| Rule ID | Severity | Title | CWE | Fix Hint |
|---|---|---|---|---|
| RAR-PATH-TRAVERSAL | HIGH | RAR Path Traversal | CWE-22 | Block RAR entries outside the target directory. |
| RAR-BOMB | HIGH | RAR Decompression Bomb | CWE-409 | Constrain RAR extraction size. |
| RAR-ENCRYPTED-PAYLOAD | MEDIUM | Encrypted RAR Payload | CWE-693 | Do not promote opaque encrypted archives. |
RAR-PATH-TRAVERSAL — RAR Path Traversal
HIGH| Rule ID | RAR-PATH-TRAVERSAL |
|---|---|
| Category | RAR |
| Severity | HIGH |
| CWE | CWE-22 |
| OWASP LLM | LLM03 — Supply Chain |
| FP Risk | LOW |
| Owner | AI/ML platform or model release owner |
| Release decision | Treat as a release gate; remediation or explicit risk acceptance is required. |
Description
Detects RAR entries that resolve outside the extraction root.
Why it matters
RAR archives are less common in CI pipelines and often require additional tooling. Treating them as opaque can hide payloads in model transfers.
When it fires
Sentinel fires this rule in the RAR category when it sees entry path contains traversal segments, absolute paths, or unsafe platform prefixes.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.
Evidence format
Entry path contains traversal segments, absolute paths, or unsafe platform prefixes.
Expected evidence
The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.
False-positive notes
False-positive probability is low. If evidence points directly to a file, opcode, secret pattern, path, or manifest field, treat it as real and require closure evidence.
Triage
- Owner: AI/ML platform or model release owner.
- Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
- Evidence: Entry path contains traversal segments, absolute paths, or unsafe platform prefixes.
- Closure: sentinel artifact ./models/ --rule RAR must return clean output.
How to fix
Reject unsafe archives and normalize every entry before extraction.
CLI
sentinel artifact ./models/ --rule RARPolicy example
rules:
RAR-PATH-TRAVERSAL:
owner: "AI/ML platform or model release owner"
fail_on: ["CRITICAL", "HIGH"]
retest: "sentinel artifact ./models/ --rule RAR"Expected output
RAR-PATH-TRAVERSAL HIGH
RAR Path Traversal
Block RAR entries outside the target directory.Example
rar entry: /var/www/app/config.pyrar entry: release/model.onnx
# extracted only after sandbox path validationRelated rules
- RAR-BOMB: RAR Decompression Bomb
- RAR-ENCRYPTED-PAYLOAD: Encrypted RAR Payload
RAR-BOMB — RAR Decompression Bomb
HIGH| Rule ID | RAR-BOMB |
|---|---|
| Category | RAR |
| Severity | HIGH |
| CWE | CWE-409 |
| OWASP LLM | LLM10 — Unbounded Consumption |
| FP Risk | MEDIUM |
| Owner | AI/ML platform or model release owner |
| Release decision | Treat as a release gate; remediation or explicit risk acceptance is required. |
Description
Flags RAR files with suspicious expansion ratio, file count, or nested archive structure.
Why it matters
RAR archives are less common in CI pipelines and often require additional tooling. Treating them as opaque can hide payloads in model transfers.
When it fires
Sentinel fires this rule in the RAR category when it sees declared unpacked size or member count exceeds configured scan limits.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.
Evidence format
Declared unpacked size or member count exceeds configured scan limits.
Expected evidence
The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.
False-positive notes
False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.
Triage
- Owner: AI/ML platform or model release owner.
- Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
- Evidence: Declared unpacked size or member count exceeds configured scan limits.
- Closure: sentinel artifact ./models/ --rule RAR must return clean output.
How to fix
Use extraction quotas and require expected-size manifests for large model bundles.
CLI
sentinel artifact ./models/ --rule RARPolicy example
rules:
RAR-BOMB:
owner: "AI/ML platform or model release owner"
fail_on: ["CRITICAL", "HIGH"]
retest: "sentinel artifact ./models/ --rule RAR"Expected output
RAR-BOMB HIGH
RAR Decompression Bomb
Constrain RAR extraction size.Example
rar entry: /var/www/app/config.pyrar entry: release/model.onnx
# extracted only after sandbox path validationRelated rules
- RAR-PATH-TRAVERSAL: RAR Path Traversal
- RAR-ENCRYPTED-PAYLOAD: Encrypted RAR Payload
RAR-ENCRYPTED-PAYLOAD — Encrypted RAR Payload
MEDIUM| Rule ID | RAR-ENCRYPTED-PAYLOAD |
|---|---|
| Category | RAR |
| Severity | MEDIUM |
| CWE | CWE-693 |
| OWASP LLM | LLM03 — Supply Chain |
| FP Risk | MEDIUM |
| Owner | AI/ML platform or model release owner |
| Release decision | Assign an owner, fix within the sprint, and attach the retest command to the issue. |
Description
Reports encrypted RAR contents that cannot be inspected by the scanner.
Why it matters
RAR archives are less common in CI pipelines and often require additional tooling. Treating them as opaque can hide payloads in model transfers.
When it fires
Sentinel fires this rule in the RAR category when it sees rar metadata indicates encrypted headers or encrypted file contents.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.
Evidence format
RAR metadata indicates encrypted headers or encrypted file contents.
Expected evidence
The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.
False-positive notes
False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.
Triage
- Owner: AI/ML platform or model release owner.
- Decision: Assign an owner, fix within the sprint, and attach the retest command to the issue.
- Evidence: RAR metadata indicates encrypted headers or encrypted file contents.
- Closure: sentinel artifact ./models/ --rule RAR must return clean output.
How to fix
Require decrypted inspection in a trusted environment before promotion.
CLI
sentinel artifact ./models/ --rule RARPolicy example
rules:
RAR-ENCRYPTED-PAYLOAD:
owner: "AI/ML platform or model release owner"
fail_on: ["CRITICAL", "HIGH"]
retest: "sentinel artifact ./models/ --rule RAR"Expected output
RAR-ENCRYPTED-PAYLOAD MEDIUM
Encrypted RAR Payload
Do not promote opaque encrypted archives.Example
rar entry: /var/www/app/config.pyrar entry: release/model.onnx
# extracted only after sandbox path validationRelated rules
- RAR-PATH-TRAVERSAL: RAR Path Traversal
- RAR-BOMB: RAR Decompression Bomb