Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pip processes corrupt packages containing using ../ chars placing files outside target directory #3907

Closed
hyp3rlinx opened this issue Aug 16, 2016 · 8 comments · Fixed by #6313

Comments

@hyp3rlinx
Copy link

@hyp3rlinx hyp3rlinx commented Aug 16, 2016

  • Pip version: tested on pip versions 6.0.8 and 8.0.2,
  • Python version: 2.7
  • Operating System: Linux / Windows

Description:

pip processes invalid packages .tar/.zip archives containing "../" directory traversal chars and places package files outside of target directories even after pip complains and throws errors and aborts the install.

@RobotLimeLtd

This comment has been minimized.

Copy link

@RobotLimeLtd RobotLimeLtd commented Mar 1, 2019

This has been open quite a while, and it's something Sonatype (who own Nexus) say is still present in the latest versions of Pip. For this reason, any organisation running Nexus IQ at their perimeter finds all versions of the Pip package quarantined.

Not wishing to be rude, but is there a reason it's never been fixed in 2 and a half years? I work with people who could maybe work on a patch, but I'd like to know in advance if there's some genuine blocker, or whether it's just fallen through the cracks.

@pfmoore

This comment has been minimized.

Copy link
Member

@pfmoore pfmoore commented Mar 1, 2019

Mainly just that no-one has offered a PR, I suspect. That plus the fact that we don't really offer any guarantees if you feed invalid package files to pip, so fixing this one specific issue is probably only the tip of the iceberg, and we don't have anything like the resources to provide any guarantees here.

But if you want to produce a PR, there's no reason I can see that we'd reject it.

@cjerdonek

This comment has been minimized.

Copy link
Member

@cjerdonek cjerdonek commented Mar 3, 2019

Is there any backwards compatibility concern here?

@wilsonfv

This comment has been minimized.

Copy link
Contributor

@wilsonfv wilsonfv commented Mar 3, 2019

i raised a PR simply add a warning message if the output tar file is placed outside of target location

@cjerdonek

This comment has been minimized.

Copy link
Member

@cjerdonek cjerdonek commented Mar 13, 2019

FYI, someone is working on a PR for this issue, PR #6313. However, the PR doesn't prevent files from being placed outside the target directory. It just logs a warning and says the behavior is deprecated.

Personally, I think we should simply prevent this from happening as it's a security issue and can cause data loss. What do people on this issue think?

Also, as a secondary point, if pip is already complaining by throwing an error and aborting the install as the OP said, I don't see what we gain by logging a warning on top of that.

@xavfernandez

This comment has been minimized.

Copy link
Contributor

@xavfernandez xavfernandez commented Mar 14, 2019

I agree pip should not log a warning but simply not process those files.

@pradyunsg

This comment has been minimized.

Copy link
Member

@pradyunsg pradyunsg commented Mar 15, 2019

Cool, let's stick with aborting.

wilsonfv added a commit to wilsonfv/pip that referenced this issue Aug 18, 2019
@bytesemantics

This comment has been minimized.

Copy link

@bytesemantics bytesemantics commented Sep 6, 2019

This issue is now affecting our Enterprise use of python - as we've adopted Sonatype IQ for vuln scanning too.

Do we have an ETA for when this fix might be merged/released ?

chrahunt added a commit to wilsonfv/pip that referenced this issue Sep 25, 2019
chrahunt added a commit that referenced this issue Sep 26, 2019
Fix #3907 tar file placed outside of target location
PatrikKopkan pushed a commit to PatrikKopkan/pip that referenced this issue Oct 18, 2019
@lock lock bot added the S: auto-locked label Oct 27, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Oct 27, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
8 participants
You can’t perform that action at this time.