Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding tarfile member sanitization to extractall() #2741

Merged
merged 1 commit into from
Oct 2, 2022
Merged

Adding tarfile member sanitization to extractall() #2741

merged 1 commit into from
Oct 2, 2022

Conversation

Trott
Copy link
Member

@Trott Trott commented Sep 29, 2022

From nodejs/node#44823:

Patching CVE-2007-4559

Hi, we are security researchers from the Advanced Research Center at Trellix. We have began a campaign to patch a widespread bug named CVE-2007-4559. CVE-2007-4559 is a 15 year old bug in the Python tarfile package. By using extract() or extractall() on a tarfile object without sanitizing input, a maliciously crafted .tar file could perform a directory path traversal attack. We found at least one unsantized extractall() in your codebase and are providing a patch for you via pull request. The patch essentially checks to see if all tarfile members will be extracted safely and throws an exception otherwise. We encourage you to use this patch or your own solution to secure against CVE-2007-4559. Further technical information about the vulnerability can be found in this blog.

If you have further questions you may contact us through this projects lead researcher Kasimir Schulz.

@TrellixVulnTeam

@Trott Trott mentioned this pull request Sep 29, 2022
Closed
rvagg
rvagg approved these changes Sep 30, 2022
View reviewed changes
Copy link
Member

@rvagg rvagg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, seems straightforward if a little unnecessary given this is only grabbing from github but if it stops people reporting security problems then that's good

@Trott Trott merged commit 33deab4 into main Oct 2, 2022
@Trott Trott deleted the update branch October 2, 2022 02:05
@targos
Copy link
Member

targos commented Oct 10, 2022

Maybe I'm missing something but this change breaks the script on my mac:

$ ./update-gyp.py v0.14.0
Downloading gyp-next@v0.14.0 into temporary directory...
From: https://github.com/nodejs/gyp-next/archive/v0.14.0.tar.gz
Unzipping...
Traceback (most recent call last):
  File "/Users/targos/git/nodejs/node-gyp/./update-gyp.py", line 54, in <module>
    safe_extract(tar_ref, unzip_target)
  File "/Users/targos/git/nodejs/node-gyp/./update-gyp.py", line 52, in safe_extract
    tar.extractall(path, members, numeric_owner)
TypeError: TarFile.extractall() takes from 1 to 3 positional arguments but 4 were given

@TrellixVulnTeam
Copy link

I submitted another PR that changed numeric_owner as a keyword argument. That will support Python 3.5 or higher.

@cclauss
Copy link
Contributor

cclauss commented Oct 10, 2022

@targos python --version ?

cclauss
cclauss reviewed Oct 10, 2022
View reviewed changes
update-gyp.py

return prefix == abs_directory

def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The asterisk is significant here.

cclauss
cclauss reviewed Oct 10, 2022
View reviewed changes
update-gyp.py
if not is_within_directory(path, member_path):
raise Exception("Attempted Path Traversal in Tar File")

tar.extractall(path, members, numeric_owner)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extract
This must be tar.extractall(path, members, numeric_owner=numeric_owner)

@mscdex mscdex mentioned this pull request Oct 10, 2022
Closed
@targos
Copy link
Member

targos commented Oct 10, 2022

@cclauss

$ python --version
Python 3.10.7

@TLESORT TLESORT mentioned this pull request Jan 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cclauss cclauss cclauss left review comments

@rvagg rvagg rvagg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@Trott @targos @TrellixVulnTeam @cclauss @rvagg @PatchTester