From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] utils/scanpypi: protect against zip-slip vulnerability in zip/tar handling
Date: Mon, 11 Feb 2019 23:22:02 +0100 [thread overview]
Message-ID: <20190211222202.10786-1-peter@korsgaard.com> (raw)
For details, see https://github.com/snyk/zip-slip-vulnerability
Older python versions do not validate that the extracted files are inside
the target directory. Detect and error out on evil paths before extracting
.zip / .tar file.
Given the scope of this (zip issue was fixed in python 2.7.4, released
2013-04-06, scanpypi is only used by a developer when adding a new python
package), the security impact is fairly minimal, but it is good to get it
fixed anyway.
Reported-by: Bas van Schaik <security-reports@semmle.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
utils/scanpypi | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/utils/scanpypi b/utils/scanpypi
index a75d696222..bdce6924b6 100755
--- a/utils/scanpypi
+++ b/utils/scanpypi
@@ -225,6 +225,22 @@ class BuildrootPackage():
self.filename = self.used_url['filename']
self.url = self.used_url['url']
+ def check_archive(self, members):
+ """
+ Check archive content before extracting
+
+ Keyword arguments:
+ members -- list of archive members
+ """
+ # Protect against https://github.com/snyk/zip-slip-vulnerability
+ # Older python versions do not validate that the extracted files are
+ # inside the target directory. Detect and error out on evil paths
+ evil = [e for e in members if os.path.relpath(e).startswith(('/', '..'))]
+ if evil:
+ print('ERROR: Refusing to extract {} with suspicious members {}'.format(
+ self.filename, evil))
+ sys.exit(1)
+
def extract_package(self, tmp_path):
"""
Extract the package contents into a directrory
@@ -249,6 +265,7 @@ class BuildrootPackage():
print('Removing {pkg}...'.format(pkg=tmp_pkg))
shutil.rmtree(tmp_pkg)
os.makedirs(tmp_pkg)
+ self.check_archive(as_zipfile.namelist())
as_zipfile.extractall(tmp_pkg)
pkg_filename = self.filename.split(".zip")[0]
else:
@@ -264,6 +281,7 @@ class BuildrootPackage():
print('Removing {pkg}...'.format(pkg=tmp_pkg))
shutil.rmtree(tmp_pkg)
os.makedirs(tmp_pkg)
+ self.check_archive(as_tarfile.getnames())
as_tarfile.extractall(tmp_pkg)
pkg_filename = self.filename.split(".tar")[0]
--
2.11.0
next reply other threads:[~2019-02-11 22:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-11 22:22 Peter Korsgaard [this message]
2019-02-12 20:27 ` [Buildroot] [PATCH] utils/scanpypi: protect against zip-slip vulnerability in zip/tar handling Peter Korsgaard
2019-02-12 20:33 ` Yann E. MORIN
2019-02-12 20:45 ` Peter Korsgaard
2019-02-21 12:54 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190211222202.10786-1-peter@korsgaard.com \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox