aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Peter Korsgaard <peter@korsgaard.com>2019-02-11 23:22:02 +0100
committerGravatar Peter Korsgaard <peter@korsgaard.com>2019-02-12 21:27:35 +0100
commita83e30ad63e00d6c81a6409161c2d3010d98d373 (patch)
treee8bdf57af51a26a87ffe81f5316e97a082e9ce97
parent424a90241c07fd15cd1caadd707f751461cf11fc (diff)
downloadbuildroot-a83e30ad63e00d6c81a6409161c2d3010d98d373.tar.gz
buildroot-a83e30ad63e00d6c81a6409161c2d3010d98d373.tar.bz2
utils/scanpypi: protect against zip-slip vulnerability in zip/tar handling
For details, see https://github.com/snyk/zip-slip-vulnerability Older python versions do not validate that the extracted files are inside the target directory. Detect and error out on evil paths before extracting .zip / .tar file. Given the scope of this (zip issue was fixed in python 2.7.4, released 2013-04-06, scanpypi is only used by a developer when adding a new python package), the security impact is fairly minimal, but it is good to get it fixed anyway. Reported-by: Bas van Schaik <security-reports@semmle.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-rwxr-xr-xutils/scanpypi18
1 files changed, 18 insertions, 0 deletions
diff --git a/utils/scanpypi b/utils/scanpypi
index a75d696222..bdce6924b6 100755
--- a/utils/scanpypi
+++ b/utils/scanpypi
@@ -225,6 +225,22 @@ class BuildrootPackage():
self.filename = self.used_url['filename']
self.url = self.used_url['url']
+ def check_archive(self, members):
+ """
+ Check archive content before extracting
+
+ Keyword arguments:
+ members -- list of archive members
+ """
+ # Protect against https://github.com/snyk/zip-slip-vulnerability
+ # Older python versions do not validate that the extracted files are
+ # inside the target directory. Detect and error out on evil paths
+ evil = [e for e in members if os.path.relpath(e).startswith(('/', '..'))]
+ if evil:
+ print('ERROR: Refusing to extract {} with suspicious members {}'.format(
+ self.filename, evil))
+ sys.exit(1)
+
def extract_package(self, tmp_path):
"""
Extract the package contents into a directrory
@@ -249,6 +265,7 @@ class BuildrootPackage():
print('Removing {pkg}...'.format(pkg=tmp_pkg))
shutil.rmtree(tmp_pkg)
os.makedirs(tmp_pkg)
+ self.check_archive(as_zipfile.namelist())
as_zipfile.extractall(tmp_pkg)
pkg_filename = self.filename.split(".zip")[0]
else:
@@ -264,6 +281,7 @@ class BuildrootPackage():
print('Removing {pkg}...'.format(pkg=tmp_pkg))
shutil.rmtree(tmp_pkg)
os.makedirs(tmp_pkg)
+ self.check_archive(as_tarfile.getnames())
as_tarfile.extractall(tmp_pkg)
pkg_filename = self.filename.split(".tar")[0]