Skip to content

Fix: zip2tar does not preserve Unix file permissions from ZIP archives#9953

Closed
Andrew-most-likely wants to merge 3 commits intogetmoto:masterfrom
Andrew-most-likely:fix/zip2tar-preserve-unix-permissions
Closed

Fix: zip2tar does not preserve Unix file permissions from ZIP archives#9953
Andrew-most-likely wants to merge 3 commits intogetmoto:masterfrom
Andrew-most-likely:fix/zip2tar-preserve-unix-permissions

Conversation

@Andrew-most-likely
Copy link
Copy Markdown
Contributor

@Andrew-most-likely Andrew-most-likely commented Apr 2, 2026

Fixes #9947

The zip2tar function in moto/awslambda/models.py never read zipinfo.external_attr, which stores Unix file permissions in its upper 16 bits. Lambda handler executables (e.g. Go/Rust bootstrap binaries) therefore lost their execute bit after ZIP-to-TAR conversion, causing a permission denied error at runtime.

Fix: extract the mode from external_attr >> 16 when present and assign it to tarinfo.mode.

Test: test_zip2tar_preserves_unix_file_permissions builds a ZIP with a file set to mode 0o755, converts it with zip2tar, and asserts the TAR member has the same mode.

@Andrew-most-likely
Fix: disabled SQS event source mapping still invoking Lambda
eb3fc00 
Queue.add_message() was iterating over all lambda_event_source_mappings
and invoking Lambda without checking whether the mapping was enabled.
Add a check to skip disabled mappings.

Add a test to verify that a disabled ESM does not trigger Lambda
when a message is sent to the queue.

Fixes #9948
@Andrew-most-likely
Fix: zip2tar does not preserve Unix file permissions from ZIP archives
97260f0 
The zip2tar function in moto/awslambda/models.py ignored the
external_attr field of ZipInfo entries, which stores Unix file
permissions in its upper 16 bits. As a result, Lambda handler
executables (e.g. Go/Rust bootstrap binaries) lost their execute
bit after conversion, causing 'permission denied' at runtime.

Read the mode from external_attr when present and apply it to
the TarInfo entry.

Fixes #9947
@Andrew-most-likely
Copy link
Copy Markdown
Contributor Author

Andrew-most-likely commented Apr 2, 2026

I hope I didnt step on any toes with this pr it seemed there was some discussion on it and sorted it today so Im just gonna leave this here

Copilot AI review requested due to automatic review settings April 4, 2026 22:46
Copilot AI reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

@Andrew-most-likely Andrew-most-likely closed this by deleting the head repository Apr 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

zip2tar in Lambda does not preserve Unix file permissions, causing permission denied when executing Lambda handler

3 participants

@Andrew-most-likely @bpandola