Fix CVE-2018-1000544 and disable symlinks to avoid other security issues #376
With apologies for opening another PR... this PR builds on #371.
So, I've had a go at fixing the symlink issues... by just disabling symlink extraction altogether. I don't need symlink support, so this is an OK solution for me. I'm not sure whether it will be in general; feel free to close / cherry pick bits of this PR if not. I think this would require a major version bump. (It's also notable that, as mentioned in #371 (comment), there are no tests for non-malicious symlinks at present.)
Tests on my apps with
gem 'rubyzip', require: 'zip', git: 'https://github.com/jdleesmiller/rubyzip.git', ref: 'fix-cve-2018-1000544'
Compared to #371, this PR also includes some test reorganisation and changes the name validation code to use some built-in ruby methods, rather than regular expressions. Hopefully that is more portable.
As noted in #371 (comment), the name validation still does nothing to protect the caller if they pass in
I think the approach in #371 for checking that symlink targets are relative and do not contain
A general solution (e.g. like the one in progress on mholt/archiver#70) seems like it probably has to involve something like https://github.com/cyphar/filepath-securejoin (in Go), which can tell you whether a path resolves within a particular 'root' directory, even in the presence of symlinks. Apparently doing it in a cross-platform way is hard (at least in Go): golang/go#20126 .
In ruby, there is
OK, I've bumped the version to 1.2.2.
I think this should really be a semver major version bump, because dropping support for symlinks completely is a breaking change. However, as @rhymes pointed out, that will probably cause more problems than it's worth at this point for people looking to apply this as a hotfix.
(And I'm not sure what's going on with coveralls. Changing a version number shouldn't affect the coverage numbers.)
@thorsteneckel Thanks for the information. I'm not that familiar with bundler-audit/ruby-advisory-db but is that because https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubyzip/CVE-2018-1000544.yml doesn't include
Does ruby-advisory-db need to adjust patched_versions after this PR is pulled and version 1.2.2 is released, in order for bundle-audit to pass without ignoring the CVE?
@everydayruby - yes. You are absolutely right. But since there is not much traction regarding this CVE in this repository and some of us rely heavily on
@jdleesmiller thanks for picking up the work
@simonoff you seem to be the sole maintainer of this gem and are undoubtedly busy with other things