Skip to content

Commit

Permalink
Patch malicious tarballs
Browse files Browse the repository at this point in the history 
Tarballs with files containing directory traversal components can write
files to unintended locations. This change ensures the Untar function
will error when a given tarball has a traversal component (..).

See https://cwe.mitre.org/data/definitions/22.html
  • Loading branch information
@chrisdoherty4
chrisdoherty4 committed Nov 17, 2023
1 parent 96f3aae commit b163844
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions pkg/tar/untar.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@ package tar

import (
"archive/tar"
"fmt"
"io"
"os"
"strings"
)

func UntarFile(tarFile, dstFolder string) error {
Expand Down Expand Up @@ -32,6 +34,12 @@ func Untar(source io.Reader, router Router) error {
continue
}

// Prevent malicous directory traversals.
// https://cwe.mitre.org/data/definitions/22.html
if !strings.Contains(header.Name, "..") {
return fmt.Errorf("file in tarball contains a directory traversal component (..): %v", header.Name)
}

info := header.FileInfo()
if info.IsDir() {
if err = os.MkdirAll(path, info.Mode()); err != nil {
Expand Down

0 comments on commit b163844

Please sign in to comment.