From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [git commit] utils/scanpypi: protect against zip-slip vulnerability in zip/tar handling
Date: Tue, 12 Feb 2019 21:27:35 +0100 [thread overview]
Message-ID: <20190212202655.CE4F280435@busybox.osuosl.org> (raw)
commit: https://git.buildroot.net/buildroot/commit/?id=a83e30ad63e00d6c81a6409161c2d3010d98d373
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
For details, see https://github.com/snyk/zip-slip-vulnerability
Older python versions do not validate that the extracted files are inside
the target directory. Detect and error out on evil paths before extracting
.zip / .tar file.
Given the scope of this (zip issue was fixed in python 2.7.4, released
2013-04-06, scanpypi is only used by a developer when adding a new python
package), the security impact is fairly minimal, but it is good to get it
fixed anyway.
Reported-by: Bas van Schaik <security-reports@semmle.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
utils/scanpypi | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/utils/scanpypi b/utils/scanpypi
index a75d696222..bdce6924b6 100755
--- a/utils/scanpypi
+++ b/utils/scanpypi
@@ -225,6 +225,22 @@ class BuildrootPackage():
self.filename = self.used_url['filename']
self.url = self.used_url['url']
+ def check_archive(self, members):
+ """
+ Check archive content before extracting
+
+ Keyword arguments:
+ members -- list of archive members
+ """
+ # Protect against https://github.com/snyk/zip-slip-vulnerability
+ # Older python versions do not validate that the extracted files are
+ # inside the target directory. Detect and error out on evil paths
+ evil = [e for e in members if os.path.relpath(e).startswith(('/', '..'))]
+ if evil:
+ print('ERROR: Refusing to extract {} with suspicious members {}'.format(
+ self.filename, evil))
+ sys.exit(1)
+
def extract_package(self, tmp_path):
"""
Extract the package contents into a directrory
@@ -249,6 +265,7 @@ class BuildrootPackage():
print('Removing {pkg}...'.format(pkg=tmp_pkg))
shutil.rmtree(tmp_pkg)
os.makedirs(tmp_pkg)
+ self.check_archive(as_zipfile.namelist())
as_zipfile.extractall(tmp_pkg)
pkg_filename = self.filename.split(".zip")[0]
else:
@@ -264,6 +281,7 @@ class BuildrootPackage():
print('Removing {pkg}...'.format(pkg=tmp_pkg))
shutil.rmtree(tmp_pkg)
os.makedirs(tmp_pkg)
+ self.check_archive(as_tarfile.getnames())
as_tarfile.extractall(tmp_pkg)
pkg_filename = self.filename.split(".tar")[0]
reply other threads:[~2019-02-12 20:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190212202655.CE4F280435@busybox.osuosl.org \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.