FIX #6413 pip install <url> allow directory traversal

[gzpan123]

Fixes #6413.

[cjerdonek]

Thanks for the report and patch! Some comments.

[cjerdonek]

This should be in the imperative tone (so "Fix pip install <url> ..."): https://pip.pypa.io/en/stable/development/contributing/#contents-of-a-news-entry

You should also wrap lines to 80 characters and surround words that should be code with double backticks before and after (since it is reStructuredText).

[cjerdonek]

To increase testability, I would define a parse_content_disposition(headers, default_filename) function that returns the file name to use, and then add a couple unit tests of the function using @pytest.mark.parametrize.

[cjerdonek]

You can use the pytest tmpdir fixture so you won't need to manually create and delete a temp dir.

[cjerdonek]

You can pass these two variables as keyword argument to save two lines.

[cjerdonek]

I would be more explicit in the docstring and say something like, "Test downloading a file when the content-disposition header contains a filename with a ".." path part."

[cjerdonek]

Seeing this implementation, it might actually be better to add a second function (called something like sanitize_filename()) and put the bulk of your unit tests in the unit tests of that function. Also, why is it necessary to split on \ after calling basename(), and why splitting only with that character as opposed to others? Some code comments are probably warranted here explaining what we are protecting against. Lastly, what about left-stripping ., too?

[gzpan123]

I added .split("\\")[-1] because os.path.basename("dir\\file") return "dir\file" in linux.
Later I found out that "dir \ file" is a valid filename in linux. so .split("\\")[-1] can be removed.

I added .rstrip(".") because os.path.basename("dir/..") return ".." and ".." is not a valid filename,
But only ".." can not lead to directory traversal. so ``.rstrip(".")``` can also be removed.

So only os.path.basename(filename) could fix this security issue already, so I decided to remove .split("\\")[-1] and .rstrip("."), is this ok?

[cjerdonek]

Isn't something like that still needed for Windows, though?

[gzpan123]

In windows both os.path.basename("dir\\file") and os.path.basename("dir/file") return "file".
There is no other thing need to do in Windows, I think.

[cjerdonek]

Thanks for your updates (and I agree with using os.path.basename()). Some more comments.

[cjerdonek]

Some final(?) comments. Thanks for your work on this.

[gzpan123]

any problems?

[BrownTruck]

Hello!

I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the master branch into this pull request or rebase this pull request against master then it will be eligible for code review and hopefully merging!

[cjerdonek]

any problems?

No, just haven't gotten to this. But looks like you need to do a rebase in the meantime..

[BrownTruck]

Hello!

I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the master branch into this pull request or rebase this pull request against master then it will be eligible for code review and hopefully merging!

[cjerdonek]

@gzpan123 I made some formatting and wording tweaks before planning to merge this, if that's okay.

[cjerdonek]

Thanks so much for all your work on this, @gzpan123, and for sticking with it! 👍

[cjerdonek]

@gzpan123 In the course of reviewing your PR, I noticed a related issue that looks like it could use fixing. It seems like the "default" filename (from the Link object) could also result in directory traversal. For example:

>>> from pip._internal.models.link import Link
>>> link = Link('https://example.com/..%2Ffoo.txt')
>>> link.filename
'../foo.txt'

This is because Link.filename unquotes its basename before returning:

pip/src/pip/_internal/models/link.py

Lines 61 to 68 in 5776ddd

	@property
	def filename(self):
	# type: () -> str
	_, netloc, path, _, _ = urllib_parse.urlsplit(self.url)
	name = posixpath.basename(path.rstrip('/')) or netloc
	name = urllib_parse.unquote(name)
	assert name, ('URL %r produced no filename' % self.url)
	return name