Bug 1792064 - Ensure 'mozfile.extract_tarball' can't write outside of destination, r=mozbase-reviewers,jmaher

Jira: RELENG-1001 Differential Revision: https://phabricator.services.mozilla.com/D157948
2025-02-27 12:50:09 +00:00 · 2022-09-22 20:30:09 +00:00 · 2022-09-22 20:30:09 +00:00 · 1981601c6d
commit 1981601c6d
parent 6004eaf97e
2 changed files with 44 additions and 14 deletions
--- a/testing/mozbase/mozfile/mozfile/mozfile.py
+++ b/testing/mozbase/mozfile/mozfile/mozfile.py
@ -1,13 +1,9 @@
-# -*- coding: utf-8 -*-
-
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

 # We don't import all modules at the top for performance reasons. See Bug 1008943

-from __future__ import absolute_import, print_function
-
 import errno
 import os
 import re
@ -16,10 +12,10 @@ import sys
 import time
 import warnings
 from contextlib import contextmanager
+from textwrap import dedent

 from six.moves import urllib

-
 __all__ = [
    "extract_tarball",
    "extract_zip",
@ -49,6 +45,19 @@ def extract_tarball(src, dest, ignore=None):
        namelist = []

        for m in bundle:
+            # Mitigation for CVE-2007-4559, Python's tarfile library will allow
+            # writing files outside of the intended destination.
+            if ".." in m.name:
+                raise RuntimeError(
+                    dedent(
+                        f"""
+                    Tar bundle '{src}' may be maliciously crafted to escape the destination!
+                    The following path was detected:
+
+                      {m.name}
+                    """
+                    )
+                )
            if ignore and any(match(m.name, i) for i in ignore):
                continue
            bundle.extract(m, path=dest)
@ -96,8 +105,8 @@ def extract(src, dest=None, ignore=None):
    Returns the list of top level files that were extracted
    """

-    import zipfile
    import tarfile
+    import zipfile

    assert os.path.exists(src), "'%s' does not exist" % src

@ -245,7 +254,7 @@ def remove(path):
        and path[1] == ":"
        and path[2] == "\\"
    ):
-        path = u"\\\\?\\%s" % path
+        path = "\\\\?\\%s" % path

    if os.path.isfile(path) or os.path.islink(path):
        # Verify the file or link is read/write for the current user
@ -335,9 +344,9 @@ def depth(directory):

 def tree(directory, sort_key=lambda x: x.lower()):
    """Display tree directory structure for `directory`."""
-    vertical_line = u"│"
-    item_marker = u"├"
-    last_child = u"└"
+    vertical_line = "│"
+    item_marker = "├"
+    last_child = "└"

    retval = []
    indent = []
@ -544,8 +553,8 @@ def TemporaryDirectory():

    """

-    import tempfile
    import shutil
+    import tempfile

    tempdir = tempfile.mkdtemp()
    try:
--- a/testing/mozbase/mozfile/tests/test_extract.py
+++ b/testing/mozbase/mozfile/tests/test_extract.py
@ -7,11 +7,9 @@ import tarfile
 import tempfile
 import zipfile

+import mozfile
 import mozunit
 import pytest
-
-import mozfile
-
 import stubs


@ -129,5 +127,28 @@ def test_extract_ignore(tmpdir, bundlepath):
    assert sorted(os.listdir(dest)) == ["bar.txt", "foo.txt"]


+def test_tarball_escape(tmpdir):
+    """Ensures that extracting a tarball can't write outside of the intended
+    destination directory.
+    """
+    workdir = tmpdir.mkdir("workdir")
+    os.chdir(workdir)
+
+    # Generate a "malicious" bundle.
+    with open("bad.txt", "w") as fh:
+        fh.write("pwned!")
+
+    def change_name(tarinfo):
+        tarinfo.name = "../" + tarinfo.name
+        return tarinfo
+
+    with tarfile.open("evil.tar", "w:xz") as tar:
+        tar.add("bad.txt", filter=change_name)
+
+    with pytest.raises(RuntimeError):
+        mozfile.extract_tarball("evil.tar", workdir)
+    assert not os.path.exists(tmpdir.join("bad.txt"))
+
+
 if __name__ == "__main__":
    mozunit.main()