From c6a1272b178a4a2a04cfc88c87f6e195b16eddb5 Mon Sep 17 00:00:00 2001
From: Quentin Kaiser <quentin@iot-inspector.com>
Date: Thu, 3 Feb 2022 13:53:14 +0100
Subject: [PATCH] Fix path traversal vulnerability.

ubireader_extract_files could lead to path traversal when run against
specifically crafted UBIFS files, allowing the attacker to overwrite
files outside of the extraction directory (provided the process has
write access to that file or directory).
---
 ubireader/ubifs/output.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ubireader/ubifs/output.py b/ubireader/ubifs/output.py
index e74f1f7..88cae3e 100755
--- a/ubireader/ubifs/output.py
+++ b/ubireader/ubifs/output.py
@@ -26,6 +26,10 @@
 from ubireader.ubifs.misc import decompress
 from ubireader.debug import error, log, verbose_log
 
+def is_safe_path(basedir, path):
+    basedir = os.path.realpath(basedir)
+    path = os.path.realpath(os.path.join(basedir, path))
+    return basedir == os.path.commonpath((basedir, path))
 
 def extract_files(ubifs, out_path, perms=False):
     """Extract UBIFS contents to_path/
@@ -59,8 +63,12 @@ def extract_dents(ubifs, inodes, dent_node, path='', perms=False):
         return
 
     inode = inodes[dent_node.inum]
-    dent_path = os.path.join(path, dent_node.name)
-        
+
+    if not is_safe_path(path, dent_node.name):
+        error(extract_dents, 'Warning', 'Path traversal attempt: %s, discarding' % (dent_node.name))
+        return
+    dent_path = os.path.realpath(os.path.join(path, dent_node.name))
+
     if dent_node.type == UBIFS_ITYPE_DIR:
         try:
             if not os.path.exists(dent_path):