Fix zip slip vulnerability

Ref: https://snyk.io/research/zip-slip-vulnerability
taskcluster · Jun 13, 2018 · d3a0d81 · d3a0d81
1 parent d05ff8e
commit d3a0d81
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 3 deletions.
diff --git a/engines/docker/resultset.go b/engines/docker/resultset.go
@@ -205,7 +205,12 @@ func (r *resultSet) extractResource(resourcePath string, isFolder bool, handler
 			wg.Add(1)
 			go func(t runtime.TemporaryFile) {
 				defer wg.Done()
-				if handler(path.Join(path.Dir(path.Clean(resourcePath)), hdr.Name), t) != nil {
+				dirpath := path.Dir(path.Clean(resourcePath))
+				fullpath := path.Join(dirpath, hdr.Name)
+				if !strings.HasPrefix(fullpath, dirpath) {
+					panic(fmt.Errorf("%s: illegal path", hdr.Name))
+				}
+				if handler(fullpath, t) != nil {
 					interrupted.Do(nil)
 				}
 			}(tmpfile)

diff --git a/engines/native/unpack/file_unpack.go b/engines/native/unpack/file_unpack.go
@@ -22,7 +22,11 @@ func Unzip(filename string) error {
 
 	// Iterate through the files in the archive
 	for _, f := range r.File {
-		fileName := filepath.Join(filepath.Dir(filename), f.Name)
+		dirpath := filepath.Dir(filename)
+		fileName := filepath.Join(dirpath, f.Name)
+		if !strings.HasPrefix(fileName, dirpath) {
+			return fmt.Errorf("%s: illegal path", f.Name)
+		}
 		if f.FileInfo().IsDir() {
 			if err = os.MkdirAll(fileName, f.Mode()); err != nil {
 				return err
@@ -94,7 +98,11 @@ func Untar(filename string) error {
 			}
 			return err
 		}
-		fileName := filepath.Join(filepath.Dir(filename), hdr.Name)
+		dirpath := filepath.Dir(filename)
+		fileName := filepath.Join(dirpath, hdr.Name)
+		if !strings.HasPrefix(fileName, dirpath) {
+			return fmt.Errorf("%s: illegal path", hdr.Name)
+		}
 		switch hdr.Typeflag {
 		case tar.TypeDir:
 			err = os.MkdirAll(fileName, hdr.FileInfo().Mode())

diff --git a/plugins/cache/extract.go b/plugins/cache/extract.go
@@ -5,6 +5,9 @@ import (
 	"bufio"
 	"fmt"
 	"io"
+	"os"
+	"path/filepath"
+	"strings"
 
 	"github.com/pkg/errors"
 	"github.com/taskcluster/taskcluster-worker/runtime"
@@ -80,6 +83,20 @@ func extractArchive(source io.Reader, target fileSystem) error {
 		} else if info.Mode().IsRegular() {
 			debug("extracting file: '%s'", header.Name)
 
+			curdir, err := os.Getwd()
+			if err != nil {
+				panic(err)
+			}
+
+			cleanName, err := filepath.Abs(header.Name)
+			if err != nil {
+				panic(err)
+			}
+
+			if !strings.HasPrefix(cleanName, curdir) {
+				return runtime.NewMalformedPayloadError(fmt.Sprintf("%s: illegal file", header.Name))
+			}
+
 			w := target.WriteFile(header.Name)
 			// We capture errors from the reader, because we don't want these to become
 			// internal errors.