Hello,
For a project we are looking into building several workspaces/token-based apps that can be run on FME Server. Due to strict security requirements we have to make sure that either compressed files are rejected or are handled in a safe manner.
As I understood FME 2018 and older decompress the zip file first to a temp folder, then using the extracted files to read the data (into ffs), this potentially exposes the file system to malicious files from the zip.
Upon being read, the data is extracted and used just as if it were a normal dataset. FME is able to read data stored directly in an archive file, or within sub-folders. archive_files_reading.htm
Notable New Features 2019.0Automatic Decompression
Read your compressed data files directly in FME without having to decompress them first. Another barrier has been taken down!
Does this expose the content of the zip to the file system? Somehow the files of the zip have to be stored somewhere. EDIT: Yes it still extracts everything to a temp folder including files not in the filter (somearchive.zip\*.xml)
How does FME deal with potentially harmful zip archives? Store it at an intermediate location and run a virus scanner and then use the validated zip?