fix(appengine): Checks destination directory before unpacking file. (#…

…5443) * fix(appengine): Checks destination directory before unpacking file. * fix(appengine): Removes reference to FileUtils * fix(appengine): Uses crafted `tar` file to trigger vulnerability on tests and check it throws an exception preventing further damage. * fix(appengine): Removes zip file. * fix(appengine): Adds happy path test. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
spinnaker · Jul 28, 2021 · 61d6b30 · 61d6b30
1 parent 2a9810f
commit 61d6b30
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 0 deletions.
diff --git a/...ne/src/main/java/com/netflix/spinnaker/clouddriver/appengine/artifacts/ArtifactUtils.java b/...ne/src/main/java/com/netflix/spinnaker/clouddriver/appengine/artifacts/ArtifactUtils.java
@@ -47,6 +47,15 @@ public DirectoryTimestamp(File d, long m) {
         entry != null;
         entry = tarStream.getNextTarEntry()) {
       File target = new File(baseDirectory, entry.getName());
+
+      String canonicalTargetPath = target.getCanonicalPath();
+      String canonicalBaseDirPath = baseDirectory.getCanonicalPath();
+
+      if (!canonicalTargetPath.startsWith(canonicalBaseDirPath)) {
+        throw new RuntimeException(
+            "Entry is outside of the target directory (" + entry.getName() + ")");
+      }
+
       if (entry.isDirectory()) {
         directoryStack.push(new DirectoryTimestamp(target, entry.getModTime().getTime()));
         continue;

diff --git a/...rc/test/java/com/netflix/spinnaker/clouddriver/appengine/artifacts/ArtifactUtilsTest.java b/...rc/test/java/com/netflix/spinnaker/clouddriver/appengine/artifacts/ArtifactUtilsTest.java
@@ -0,0 +1,50 @@
+package com.netflix.spinnaker.clouddriver.appengine.artifacts;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import org.junit.jupiter.api.Test;
+
+class ArtifactUtilsTest {
+
+  @Test
+  void testUntarStreamToPathWithEntryOutsideDestDirThrowsException() throws IOException {
+
+    Exception ex = null;
+    String s = "target/zip-unarchiver-slip-tests";
+    File testZip = new File(new File("").getAbsolutePath(), "src/test/zip-slip/zip-slip.tar");
+    File outputDirectory = new File(new File("test-tar").getAbsolutePath(), s);
+
+    outputDirectory.delete();
+
+    try {
+      ArtifactUtils.untarStreamToPath(new FileInputStream(testZip), outputDirectory.getPath());
+    } catch (Exception e) {
+      ex = e;
+    }
+
+    assertNotNull(ex);
+    assertTrue(ex.getMessage().startsWith("Entry is outside of the target directory"));
+  }
+
+  @Test
+  void testUntarStreamDirDoesNotThrowsException() throws IOException {
+
+    Exception ex = null;
+    String s = "target/zip-unarchiver-slip-tests";
+    File testZip = new File(new File("").getAbsolutePath(), "src/test/zip-slip/normal-tar.tar");
+    File outputDirectory = new File(new File("test-tar").getAbsolutePath(), s);
+
+    outputDirectory.delete();
+
+    try {
+      ArtifactUtils.untarStreamToPath(new FileInputStream(testZip), outputDirectory.getPath());
+    } catch (Exception e) {
+      ex = e;
+    }
+
+    assertNull(ex);
+  }
+}
diff --git a/clouddriver-appengine/src/test/zip-slip/normal-tar.tar b/clouddriver-appengine/src/test/zip-slip/normal-tar.tar
diff --git a/clouddriver-appengine/src/test/zip-slip/zip-slip.tar b/clouddriver-appengine/src/test/zip-slip/zip-slip.tar