jeans/motioneyeos
jeans/motioneyeos
1
0
Fork 0
mirror of https://github.com/motioneye-project/motioneyeos.git synced 2025-07-29 06:06:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

utils/scanpypi: protect against zip-slip vulnerability in zip/tar handling

Browse Source 
For details, see https://github.com/snyk/zip-slip-vulnerability

Older python versions do not validate that the extracted files are inside
the target directory.  Detect and error out on evil paths before extracting
.zip / .tar file.

Given the scope of this (zip issue was fixed in python 2.7.4, released
2013-04-06, scanpypi is only used by a developer when adding a new python
package), the security impact is fairly minimal, but it is good to get it
fixed anyway.

Reported-by: Bas van Schaik <security-reports@semmle.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Peter Korsgaard 2019-02-11 23:22:02 +01:00
parent 424a90241c
commit a83e30ad63
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
utils/scanpypi
View File

@ -225,6 +225,22 @@ class BuildrootPackage():
self.filename = self.used_url['filename'] self.filename = self.used_url['filename']
self.url = self.used_url['url'] self.url = self.used_url['url']
def check_archive(self, members):
"""
Check archive content before extracting
Keyword arguments:
members -- list of archive members
"""
# Protect against https://github.com/snyk/zip-slip-vulnerability
# Older python versions do not validate that the extracted files are
# inside the target directory. Detect and error out on evil paths
evil = [e for e in members if os.path.relpath(e).startswith(('/', '..'))]
if evil:
print('ERROR: Refusing to extract {} with suspicious members {}'.format(
self.filename, evil))
sys.exit(1)
def extract_package(self, tmp_path): def extract_package(self, tmp_path):
""" """
Extract the package contents into a directrory Extract the package contents into a directrory
@ -249,6 +265,7 @@ class BuildrootPackage():
print('Removing {pkg}...'.format(pkg=tmp_pkg)) print('Removing {pkg}...'.format(pkg=tmp_pkg))
shutil.rmtree(tmp_pkg) shutil.rmtree(tmp_pkg)
os.makedirs(tmp_pkg) os.makedirs(tmp_pkg)
self.check_archive(as_zipfile.namelist())
as_zipfile.extractall(tmp_pkg) as_zipfile.extractall(tmp_pkg)
pkg_filename = self.filename.split(".zip")[0] pkg_filename = self.filename.split(".zip")[0]
else: else:
@ -264,6 +281,7 @@ class BuildrootPackage():
print('Removing {pkg}...'.format(pkg=tmp_pkg)) print('Removing {pkg}...'.format(pkg=tmp_pkg))
shutil.rmtree(tmp_pkg) shutil.rmtree(tmp_pkg)
os.makedirs(tmp_pkg) os.makedirs(tmp_pkg)
self.check_archive(as_tarfile.getnames())
as_tarfile.extractall(tmp_pkg) as_tarfile.extractall(tmp_pkg)
pkg_filename = self.filename.split(".tar")[0] pkg_filename = self.filename.split(".tar")[0]