From 7981c627c453c186e2129e0d7dec44a1ea1efa31 Mon Sep 17 00:00:00 2001 From: JCWasmx86 Date: Sun, 31 Mar 2024 18:10:01 +0200 Subject: [PATCH 1/2] Fix directory traversal vulnerability --- src/libutils/utils.cpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/libutils/utils.cpp b/src/libutils/utils.cpp index a48f993371..0d0254f2e1 100644 --- a/src/libutils/utils.cpp +++ b/src/libutils/utils.cpp @@ -148,8 +148,14 @@ bool extractFile(const std::filesystem::path &archivePath, archive_error_string(archive))); goto cleanup; } - auto entryPath = - outputDirectory / std::filesystem::path(archive_entry_pathname(entry)); + std::string entryPathname = archive_entry_pathname(entry); + if (entryPathname.contains("..")) { + LOG.warn(std::format( + "Attempted directory traversal with this entry: {}, ignoring it", + entryPathname)); + continue; + } + auto entryPath = outputDirectory / entryPathname; archive_entry_set_pathname_utf8(entry, entryPath.string().c_str()); const auto *originalHardlink = archive_entry_hardlink(entry); From 897c29995e4624decf170feff0fe7554538c830b Mon Sep 17 00:00:00 2001 From: JCWasmx86 Date: Sun, 31 Mar 2024 18:16:10 +0200 Subject: [PATCH 2/2] Guard against evil symlinks --- src/libutils/utils.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/libutils/utils.cpp b/src/libutils/utils.cpp index 0d0254f2e1..7b7546af57 100644 --- a/src/libutils/utils.cpp +++ b/src/libutils/utils.cpp @@ -125,7 +125,8 @@ bool extractFile(const std::filesystem::path &archivePath, auto *ext = archive_write_disk_new(); archive_write_disk_set_options( ext, ARCHIVE_EXTRACT_TIME | ARCHIVE_EXTRACT_PERM | ARCHIVE_EXTRACT_ACL | - ARCHIVE_EXTRACT_FFLAGS); + ARCHIVE_EXTRACT_FFLAGS | ARCHIVE_EXTRACT_SECURE_NODOTDOT | + ARCHIVE_EXTRACT_SECURE_SYMLINKS); archive_write_disk_set_standard_lookup(ext); const auto *filename = archivePath.c_str();