Skip to content
Permalink
Browse files Browse the repository at this point in the history
untar: add check on link
  • Loading branch information
david972 authored and dennwc committed Aug 11, 2021
1 parent 073bb55 commit 4265465
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .gitignore
@@ -1,3 +1,6 @@
.idea/


build
coverage.txt
/ostree
Expand Down
15 changes: 15 additions & 0 deletions runtime/unpack.go
Expand Up @@ -136,6 +136,14 @@ loop:
case tar.TypeLink:
target := filepath.Join(dest, hdr.Linkname)

trueTarget, err := filepath.EvalSymlinks(target)
if err != nil {
return err
}
if !strings.HasPrefix(trueTarget, dest) {
return fmt.Errorf("hardlink %q -> %q outside destination", target, hdr.Linkname)
}

if !strings.HasPrefix(target, dest) {
return fmt.Errorf("invalid hardlink %q -> %q", target, hdr.Linkname)
}
Expand All @@ -147,6 +155,13 @@ loop:
case tar.TypeSymlink:
target := filepath.Join(filepath.Dir(path), hdr.Linkname)

trueTarget, err := filepath.EvalSymlinks(target)
if err != nil {
return err
}
if !strings.HasPrefix(trueTarget, dest) {
return fmt.Errorf("hardlink %q -> %q outside destination", target, hdr.Linkname)
}
if !strings.HasPrefix(target, dest) {
return fmt.Errorf("invalid symlink %q -> %q", path, hdr.Linkname)
}
Expand Down

0 comments on commit 4265465

Please sign in to comment.