Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Arbitrary file write during tarfile extraction in luigi/contrib/lsf_runner.py #3302

Closed
Ali-Razmjoo opened this issue Aug 24, 2024 · 0 comments · Fixed by #3309
Closed

Arbitrary file write during tarfile extraction in luigi/contrib/lsf_runner.py #3302

Ali-Razmjoo opened this issue Aug 24, 2024 · 0 comments · Fixed by #3309

Comments

@Ali-Razmjoo
Copy link
Contributor

Hi,

I am reporting a potential security issue with arbitrary file write during tarfile extraction in
https://github.com/spotify/luigi/blob/master/luigi/contrib/lsf_runner.py#L55-L58

Extracting files from a malicious tar archive without validating that the destination file path is within the destination directory can cause files outside the destination directory to be overwritten, due to the possible presence of directory traversal elements (..) in archive paths.

  • ..\malicious_file
  • c:\malicious_file
  • /etc/passwd

Recommendation

with tarfile.open(sys.argv[1]) as tar:
    for entry in tar:
        #GOOD: Check that entry is safe
        if os.path.isabs(entry.name) or ".." in entry.name:
            raise ValueError("Illegal tar archive entry")
        tar.extract(entry, "/tmp/unpack/")

References
Ali-Razmjoo added a commit to Ali-Razmjoo/luigi that referenced this issue Sep 4, 2024
@Ali-Razmjoo
Fix arbitrary file write during tarfile extraction
91ce61f 
Fixes spotify#3302

Address arbitrary file write vulnerability during tarfile extraction in `luigi/contrib/lsf_runner.py`.

* Add a function `_is_within_directory(directory, target)` to check if a target path is within a directory.
* Add a function `_safe_extract(tar, path=".", members=None, *, numeric_owner=False)` to safely extract tar files.
* Replace the existing tar extraction code with a call to `_safe_extract` in the `extract_packages_archive` function.

* Add a test case `test_safe_extract` to verify the safe extraction of tar files in `test/contrib/lsf_test.py`.
* Add a test case `test_safe_extract_with_traversal` to verify that directory traversal is prevented in `test/contrib/lsf_test.py`.
@Ali-Razmjoo Ali-Razmjoo mentioned this issue Sep 4, 2024
Merged
Ali-Razmjoo added a commit to Ali-Razmjoo/luigi that referenced this issue Sep 4, 2024
@Ali-Razmjoo
Fix arbitrary file write during tarfile extraction
5850c44 
Fixes spotify#3302 spotify#3301
Ali-Razmjoo added a commit to Ali-Razmjoo/luigi that referenced this issue Sep 6, 2024
@Ali-Razmjoo
Fix arbitrary file write during tarfile extraction
1ba1030 
Fixes spotify#3302 spotify#3301
Ali-Razmjoo added a commit to Ali-Razmjoo/luigi that referenced this issue Sep 6, 2024
@Ali-Razmjoo
Fix arbitrary file write during tarfile extraction
485d40a 
Fixes spotify#3302 spotify#3301
Ali-Razmjoo added a commit to Ali-Razmjoo/luigi that referenced this issue Sep 6, 2024
@Ali-Razmjoo
Fix arbitrary file write during tarfile extraction
d7bccbb 
Fixes spotify#3302 spotify#3301
Ali-Razmjoo added a commit to Ali-Razmjoo/luigi that referenced this issue Sep 6, 2024
@Ali-Razmjoo
Fix arbitrary file write during tarfile extraction
319434a 
Fixes spotify#3302 spotify#3301
Ali-Razmjoo added a commit to Ali-Razmjoo/luigi that referenced this issue Sep 6, 2024
@Ali-Razmjoo
Fix arbitrary file write during tarfile extraction
b012a00 
Fixes spotify#3302 spotify#3301
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@Ali-Razmjoo