-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: archive/tar, archive/zip: add NewReaderOptions with directory traversal defenses #57850
Comments
Bikeshed: instead of |
What happened with the errors being introduced in Go 1.20? I thought the plan was to turn them on by default in some newer release? |
This proposal has been added to the active column of the proposals project |
We stated that we might turn on name security checks, but the pervasiveness of Docker tar files with absolute paths makes me dubious that we will ever be able to do so without causing widespread breakage. Adding a new safe-by-default function could give us a path to making that change: First we add the safe function under a different name, then we deprecate the unsafe functions, and when a sufficient portion of the ecosystem has moved off of the unsafe functions we might be able to change them to be safe by default and even undeprecate them.
|
This still feels like it's getting very complicated. One way it can be hard to write secure code is when there are too many ways to do it, and it feels like we're headed down that road. Can we simplify this? How many different programs or libraries read "Docker tar files"? If those update to recognize the new errors, that problem is fixed, right? |
I would expect
Safe-by-default, but also one that's just much harder to call than Also, I personally find |
We could simplify this by adding a safe-by-default API with no options, or with fewer options. For example: package tar
func SafeReader(r io.Reader) *Reader The alternative is to change the existing readers as proposed in #55356. I don't know how many programs would need to be updated to handle this change. Docker is pretty popular, though. I'll try running Google-internal tests (which include a fair bit of third-party package coverage) with GODEBUG=tarinsecurepath=0,zipinsecurepath=0 and report back on how many things break. (We did this in the runup to 1.20, but I don't have the failure list to hand any more.) |
This comment was marked as spam.
This comment was marked as spam.
We could add NewSafeReader, but I don't think we've exhausted trying #55356 (default on) yet. We should probably do that first or else understand why we can't ever do that. The Google test failures looked like they had a small number of root causes. Docker may be popular but I don't think direct reading of Docker tar files is nearly as popular. |
This is a noble goal but it feels as though the proposal is trying to fix the issue in the wrong place. A path in an archive isn't inherently secure or insecure, so why is the reader concerning itself with making that decision and returning an error? It feels a little like trying to prevent SQL injection by making http.Request.PostFormValue() aware of 'dangerous' SQL characters. Would it make more sense to add API to handle extracting an archive to a filesystem directly? That would remove a lot of the "boilerplate" you need to write at present, and provide a sensible place for the "secure or not" determination to live where it can make OS-specific decisions. |
subtopic#1: subtopic#2:
I think legitimate archives with symlink entries pointing out of the archive (but without a path traversal follow up entry) are more frequent out there than archives with absolute path entries. Doing this securely would require one of these (all of them have some drawbacks):
subtopic#3:
This would keep the number of entrypoints the same and may make things a bit less complicated (while still offering full control). |
As a practical concern, validating that archive paths don't escape the current directory would have avoided at least five distinct CVEs that I know of, and probably others that I don't. (See #55356.) Addressing the issue in the archive reader will reduce the chances of vulnerabilities in all code that reads archives; adding a new API to extract an archive to a filesystem risks satisfying only a subset of possible use cases and leaving other users vulnerable.
This is unfortunately not a backwards compatible change, since existing code may rely on the current function signature. For example, code might assign NewReader to a variable.
I'll report back when I manage to get a test run to go through. (The number of failures caused timeouts in the failure-deflaking tool. Might still be a small number of root causes, though.) |
Waiting for more information about whether we can enable #55356 by default. |
Putting on hold until we have that more information. Please move back to active when we do. |
Placed on hold. |
This is another attempt at hardening the
archive/tar
andarchive/zip
packages against file traversal attacks, fixing #25849.Naive handling of archives containing filenames such as
../../../etc/passwd
leads to security vulnerabilities. (See #55356 for a bunch of reference CVEs.) In #55356, I proposed changingarchive/tar
andarchive/zip
to return anErrInsecurePath
error when encountering an unsafe filename. Unfortunately, we subsequently discovered that Docker images frequently include filenames with absolute paths, making this change infeasible.I propose adding new safe-by-default functions to
archive/tar
andarchive/zip
.The
NewReaderWithOptions
functions will provide the same functionality as proposed in #55356, but in a new API to avoid breaking existing users. In addition, these functions provide an easy way for users who want to accept some forms of unsafe path to do so while still defending against unexpected cases: For example, permitting absolute filenames while rejecting ones containing unexpected backslash characters.I further propose that we update the
NewReader
documentation to encourage all users to migrate toNewReaderWithOptions
. Once all supported Go versions includeNewReaderWithOptions
, we can go further and deprecateNewReader
. We might also consider changingNewReader
to be safe by default at some point, although that decision is out of scope for this proposal.The text was updated successfully, but these errors were encountered: