Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(security) Fix tar slip in micropackaging #3559

Merged
merged 7 commits into from
Jan 29, 2024
Merged

(security) Fix tar slip in micropackaging #3559

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0f56a2a
Update safe_extract fn
ankatiyar Jan 26, 2024
409a4ff
Update tests
ankatiyar Jan 26, 2024
8a5b6ae
Try fix test
ankatiyar Jan 26, 2024
c16497d
Merge branch 'main' into security-vulnerability
ankatiyar Jan 26, 2024
79875ab
Add comment about bandit
ankatiyar Jan 29, 2024
5b2ceb3
Update release notes
ankatiyar Jan 29, 2024
98011cf
Merge branch 'main' into security-vulnerability
ankatiyar Jan 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions RELEASE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
## Major features and improvements

## Bug fixes and other changes
* Addressed arbitrary file write via archive extraction security vulnerability in micropackaging.

Check warning on line 6 in RELEASE.md

View workflow job for this annotation

GitHub Actions / vale

[vale] RELEASE.md#L6 

[Kedro.words] Use 'with' or 'through' instead of 'via'.
Raw output 
{"message": "[Kedro.words] Use 'with' or 'through' instead of 'via'.", "location": {"path": "RELEASE.md", "range": {"start": {"line": 6, "column": 34}}}, "severity": "WARNING"}

Check warning on line 6 in RELEASE.md

View workflow job for this annotation

GitHub Actions / vale

[vale] RELEASE.md#L6 

[Kedro.Spellings] Did you really mean 'micropackaging'?
Raw output 
{"message": "[Kedro.Spellings] Did you really mean 'micropackaging'?", "location": {"path": "RELEASE.md", "range": {"start": {"line": 6, "column": 83}}}, "severity": "WARNING"}

## Breaking changes to the API

Expand Down
6 changes: 5 additions & 1 deletion kedro/framework/cli/micropkg.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -390,12 +390,16 @@ def _is_within_directory(directory: Path, target: Path) -> bool:


def safe_extract(tar: tarfile.TarFile, path: Path) -> None:
safe_members = []
for member in tar.getmembers():
member_path = path / member.name
if not _is_within_directory(path, member_path):
# noqa: broad-exception-raised
raise Exception("Failed to safely extract tar file.")
tar.extractall(path) # nosec B202
safe_members.append(member)
tar.extractall(path, members=safe_members) # nosec B202
ankatiyar marked this conversation as resolved.
Show resolved Hide resolved
# The nosec is still required because bandit still flags this.
# Related issue: https://github.com/PyCQA/bandit/issues/1038


def _unpack_sdist(location: str, destination: Path, fs_args: str | None) -> None:
Expand Down
4 changes: 2 additions & 2 deletions tests/framework/cli/micropkg/test_micropkg_pull.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -762,7 +762,7 @@ def test_micropkg_pull_invalid_sdist(
assert sdist_file.is_file()

with tarfile.open(sdist_file, "r:gz") as tar:
tar.extractall(tmp_path)
safe_extract(tar, tmp_path)

# Create extra project
extra_project = tmp_path / f"{PIPELINE_NAME}-0.1_extra"
Expand Down Expand Up @@ -801,7 +801,7 @@ def test_micropkg_pull_invalid_package_contents(
assert sdist_file.is_file()

with tarfile.open(sdist_file, "r:gz") as tar:
tar.extractall(tmp_path)
safe_extract(tar, tmp_path)

# Create extra package
extra_package = tmp_path / f"{PIPELINE_NAME}-0.1" / f"{PIPELINE_NAME}_extra"
Expand Down
Loading