Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Zip slip merge conflict fix #231

Merged
merged 3 commits into from
Sep 29, 2020
Merged

Zip slip merge conflict fix #231

merged 3 commits into from
Sep 29, 2020

Conversation

petemoore
Copy link
Contributor

This is #203 plus a commit to resolve the merge conflict with master branch.

@petemoore petemoore mentioned this pull request Sep 1, 2020
Closed
@coolaj86 coolaj86 mentioned this pull request Sep 25, 2020
Closed
@coolaj86
Copy link
Collaborator

Hey @petemoore, I've recently been granted review / approver status.
I've reviewed this and, if you wouldn't mind rebasing on master, I'll merge it in and publish a new release ASAP.

giuliocomi and others added 3 commits September 28, 2020 10:43
@giuliocomi @petemoore
Prevent arbitrary file overwrite via path traversal (Zip Slip attack)
8217ed3
@giuliocomi @petemoore
Added test cases for archive formats
a723054 
the extraction process now continues with other files  by default even if there is a dot-dot filename, which is of course skipped.
The test evilarchives have been generated with following script:
https://github.com/giuliocomi/evilarchiver
Command:
$ mkdir safedir
$ touch security_test.txt safedir/safefile
$ python2 evilarchiver.py -e security_test.txt -n ../evilfile -s safedir/safefile
@petemoore
Resolve a few go lint issues
c7eae9d
@petemoore
Copy link
Contributor Author

petemoore commented Sep 28, 2020
edited
Loading

Thanks @coolaj86, I've rebased the commits, and now am just waiting on the CI results...
UPDATE: looks like the CI passed. I think this is good to go from my side. :-)

coolaj86
coolaj86 reviewed Sep 29, 2020
View reviewed changes
rar.go
@@ -94,7 +105,7 @@ func (r *Rar) Unarchive(source, destination string) error {
break
}
if err != nil {
if r.ContinueOnError {
if r.ContinueOnError || strings.Contains(err.Error(), "illegal file path") {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer that we expose ErrIllegalPath and check against that, however, I'm accepting this as-is and will save that for a later commit.

@coolaj86
Copy link
Collaborator

coolaj86 commented Sep 29, 2020
edited
Loading

Thanks @petemoore. I'm approving this, merging, and releasing. HOWEVER, I'm not sure that the vulnerability is 100% fixed.

From what I can see it doesn't look like you did any symlink checking. Imagine a tar file with these contents:

[symlink]    demifile    =>/etc/passwd
[file]       demifile    PWNed!

I could put demifile down as a link and then I could have another entry for demifile that has contents. I may have read the code wrong, but I think that's currently true.

coolaj86
coolaj86 approved these changes Sep 29, 2020
View reviewed changes
Copy link
Collaborator

@coolaj86 coolaj86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@coolaj86 coolaj86 merged commit c7eae9d into mholt:master Sep 29, 2020
@coolaj86 coolaj86 mentioned this pull request Sep 29, 2020
Closed
@petemoore
Copy link
Contributor Author

petemoore commented Sep 29, 2020
edited
Loading

Thanks @petemoore. I'm approving this, merging, and releasing. HOWEVER, I'm not sure that the vulnerability is 100% fixed.

From what I can see it doesn't look like you did any symlink checking. Imagine a tar file with these contents:

[symlink]    demifile    =>/etc/passwd
[file]       demifile    PWNed!

I could put demifile down as a link and then I could have another entry for demifile that has contents. I may have read the code wrong, but I think that's currently true.

Thanks @coolaj86. I'm also not sure this fixes everything; it is simply #203 rebased with merge conflicts resolved, but hopefully we're a step closer. That PR was made by someone else, but eventually conflicted with changes on master, so my contribution was just about resolving those conflicts so that somebody could take a look at the changes to see if they were ok (you'll see I'm not the author of any of the commits here).

@coolaj86
Copy link
Collaborator

@petemoore Do you think you could take on #242 ?

I'm an "approver" and a "releaser", but I don't actually have direct commit access and the other approvers are inactive... so if you can come up with a solution, I can get it in :)

@coolaj86
Copy link
Collaborator

And thank you very much for your help thus far. 😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coolaj86 coolaj86 coolaj86 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@petemoore @coolaj86 @giuliocomi