Merge pull request from GHSA-vm25-83mh-g2gf

gnutaremu: add protection against malicious archive files

Author: rikonen

pghoard.spec

@@ -52,6 +52,9 @@ make test
 
 
 %changelog
+* Wed Feb 11 2020 Tapio Oikarinen <tapio@aiven.io> - 2.1.1
+- Security fix for gnutaremu
+
 * Tue Sep 5 2017 Oskari Saarenmaa <os@aiven.io> - 1.4.0
 - Add pghoard_postgres_command_go
 

pghoard/gnutaremu.py

@@ -17,6 +17,10 @@ def __init__(self):
         parser.add_argument("-f", "--file", help="Specify the file to extract, - for stdin", type=str, required=True)
         parser.add_argument("-C", "--directory", help="Target directory for extraction", type=str)
         parser.add_argument("-P", "--absolute-names", help="Don't strip leading / from file names", action="store_true")
+        parser.add_argument(
+            "--keep-directory-symlink",
+            help="Follow symlinks to directories when extracting from the archive",
+            action="store_true")
         parser.add_argument("--exclude", help="Exclude file matching given patter", type=str, action="append")
         parser.add_argument("--transform", help="Transform file name", type=str, action="append")
         self.args = parser.parse_args()
@@ -40,6 +44,25 @@ def _extract(self, file):
                 if not target_name:
                     continue
 
+                if not self.args.keep_directory_symlink:
+                    # _build_target_name prefixed path with directory name but if absolute
+                    # paths are allowed the path might be outside of target directory
+                    if self.args.directory and target_name.startswith(self.args.directory):
+                        path = self.args.directory
+                        relative_path = target_name[len(self.args.directory):].lstrip(os.sep)
+                    elif target_name.startswith(os.sep):
+                        path = os.sep
+                        relative_path = target_name.lstrip(os.sep)
+                    else:
+                        path = "."
+                        relative_path = target_name
+                    parts = relative_path.split(os.sep)
+                    for part in parts:
+                        path = os.path.join(path, part)
+                        if os.path.islink(path):
+                            os.unlink(path)
+                            break  # only remove first symlink
+
                 if tarinfo.isdir():
                     paths.append([target_name, tarinfo])
                     self.makedirs(target_name)
@@ -67,9 +90,11 @@ def _build_target_name(self, source_name):
         name = self._transform_name(name)
         if not name:
             return None
-        if not self.args.absolute_names and name.startswith("/"):
-            name = name[1:]
-        if not name.startswith("/") and self.args.directory:
+        if not self.args.absolute_names:
+            name = name.lstrip(os.sep)
+            if f"..{os.sep}" in name or name.endswith(".."):
+                return None
+        if not name.startswith(os.sep) and self.args.directory:
             name = os.path.join(self.args.directory, name)
         return name