Merge pull request #9661 from blackpiglet/xj014661/1.18/tarball_extraction_check

[1.18][cherry-pick] Add more check for file extraction from tarball.
2026-04-18 06:45:15 +00:00 · 2026-04-02 17:20:33 +08:00
parent e9bc0eca53 c7fa4bfe35
commit 856f1296fc
3 changed files with 44 additions and 1 deletions
--- a/changelogs/unreleased/9661-blackpiglet
+++ b/changelogs/unreleased/9661-blackpiglet
@@ -0,0 +1 @@
+Add check for file extraction from tarball.
--- a/pkg/archive/extractor.go
+++ b/pkg/archive/extractor.go
@@ -19,8 +19,10 @@ package archive
 import (
 	"archive/tar"
 	"compress/gzip"
+	"fmt"
 	"io"
 	"path/filepath"
+	"strings"

 	"github.com/sirupsen/logrus"

@@ -66,6 +68,16 @@ func (e *Extractor) writeFile(target string, tarRdr *tar.Reader) error {
 	return nil
 }

+// sanitizeArchivePath sanitizes archive file path from "G305: Zip Slip vulnerability"
+func sanitizeArchivePath(destDir, sourcePath string) (targetPath string, err error) {
+	targetPath = filepath.Join(destDir, sourcePath)
+	if strings.HasPrefix(targetPath, filepath.Clean(destDir)) {
+		return targetPath, nil
+	}
+
+	return "", fmt.Errorf("invalid archive path %q: escapes target directory", sourcePath)
+}
+
 func (e *Extractor) readBackup(tarRdr *tar.Reader) (string, error) {
 	dir, err := e.fs.TempDir("", "")
 	if err != nil {
@@ -84,7 +96,11 @@ func (e *Extractor) readBackup(tarRdr *tar.Reader) (string, error) {
 			return "", err
 		}

-		target := filepath.Join(dir, header.Name) //nolint:gosec // Internal usage. No need to check.
+		target, err := sanitizeArchivePath(dir, header.Name)
+		if err != nil {
+			e.log.Infof("error sanitizing archive path: %s", err.Error())
+			return "", err
+		}

 		switch header.Typeflag {
 		case tar.TypeDir:
--- a/pkg/archive/extractor_test.go
+++ b/pkg/archive/extractor_test.go
@@ -18,6 +18,7 @@ package archive

 import (
 	"archive/tar"
+	"bytes"
 	"compress/gzip"
 	"io"
 	"os"
@@ -87,6 +88,31 @@ func TestUnzipAndExtractBackup(t *testing.T) {
 	}
 }

+func TestUnzipAndExtractBackupRejectsPathTraversal(t *testing.T) {
+	ext := NewExtractor(test.NewLogger(), test.NewFakeFileSystem())
+
+	var buf bytes.Buffer
+	gzw := gzip.NewWriter(&buf)
+	tw := tar.NewWriter(gzw)
+
+	err := tw.WriteHeader(&tar.Header{
+		Name:     "../escape.txt",
+		Mode:     0600,
+		Typeflag: tar.TypeReg,
+		Size:     int64(len("data")),
+	})
+	require.NoError(t, err)
+
+	_, err = tw.Write([]byte("data"))
+	require.NoError(t, err)
+	require.NoError(t, tw.Close())
+	require.NoError(t, gzw.Close())
+
+	_, err = ext.UnzipAndExtractBackup(&buf)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "invalid archive path")
+}
+
 func createArchive(files []string, fs filesystem.Interface) (string, error) {
 	outName := "output.tar.gz"
 	out, err := fs.Create(outName)
				`@@ -0,0 +1 @@`
				`Add check for file extraction from tarball.`