Skip to content

Commit

Permalink
Remediate zipslip
Browse files Browse the repository at this point in the history 
paths in the archives containing .. could creep out of directory
they were being unpacked into.

The fix is simple: given a base path and file path, instead of
filepath.Join(base, file)
do
filepath.Join(base, filepath.Join("/", file))

Joining to / has the property of swallowing up and .. that may appear.

Signed-off-by: Ronald G Minnich <rminnich@gmail.com>
  • Loading branch information
@rminnich
rminnich committed Aug 28, 2020
1 parent 0e6ec3e commit e82b9c7
Show file tree
Hide file tree
Showing 4 changed files with 4 additions and 4 deletions.
2 changes: 1 addition & 1 deletion pkg/cpio/fs_plan9.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ func CreateFileInRoot(f Record, rootDir string, forcePriv bool) error {
return err
}

f.Name = filepath.Clean(filepath.Join(rootDir, f.Name))
f.Name = filepath.Clean(filepath.Join(rootDir, filepath.Join("/", f.Name)))
dir := filepath.Dir(f.Name)
// The problem: many cpio archives do not specify the directories and
// hence the permissions. They just specify the whole path. In order
Expand Down
2 changes: 1 addition & 1 deletion pkg/cpio/fs_unix.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ func CreateFileInRoot(f Record, rootDir string, forcePriv bool) error {
return err
}

f.Name = filepath.Clean(filepath.Join(rootDir, f.Name))
f.Name = filepath.Clean(filepath.Join(rootDir, filepath.Join("/", f.Name)))
dir := filepath.Dir(f.Name)
// The problem: many cpio archives do not specify the directories and
// hence the permissions. They just specify the whole path. In order
Expand Down
2 changes: 1 addition & 1 deletion pkg/tarutil/tar.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ func CreateTarFilter(tarFile io.Writer, files []string, filters []Filter) error

func createFileInRoot(hdr *tar.Header, r io.Reader, rootDir string) error {
fi := hdr.FileInfo()
path := filepath.Clean(filepath.Join(rootDir, hdr.Name))
path := filepath.Clean(filepath.Join(rootDir, filepath.Join("/", hdr.Name)))
if !strings.HasPrefix(path, filepath.Clean(rootDir)) {
return fmt.Errorf("file outside root directory: %q", path)
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/uzip/uzip.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ func FromZip(src, dir string) error {
}

for _, file := range z.File {
path := filepath.Join(dir, file.Name)
path := filepath.Join(dir, filepath.Join("/", file.Name))
if file.FileInfo().IsDir() {
if err = os.MkdirAll(path, file.Mode()); err != nil {
return err
Expand Down

0 comments on commit e82b9c7

Please sign in to comment.