Merge branch 'main' into xj014661/main/fix_extract_cve

Add more check for file extraction from tarball.
Signed-off-by: Xun Jiang <xun.jiang@broadcom.com>
2026-03-27 12:05:05 +00:00 · 2026-03-20 10:59:55 +08:00 · 2026-03-13 16:42:10 +08:00
3 changed files with 44 additions and 1 deletions
--- a/changelogs/unreleased/9614-blackpiglet
+++ b/changelogs/unreleased/9614-blackpiglet
@@ -0,0 +1 @@
+Add check for file extraction from tarball.
--- a/pkg/archive/extractor.go
+++ b/pkg/archive/extractor.go
@@ -19,8 +19,10 @@ package archive
 import (
 	"archive/tar"
 	"compress/gzip"
+	"fmt"
 	"io"
 	"path/filepath"
+	"strings"

 	"github.com/sirupsen/logrus"

@@ -66,6 +68,16 @@ func (e *Extractor) writeFile(target string, tarRdr *tar.Reader) error {
 	return nil
 }

+// sanitizeArchivePath sanitizes archive file path from "G305: Zip Slip vulnerability"
+func sanitizeArchivePath(destDir, sourcePath string) (targetPath string, err error) {
+	targetPath = filepath.Join(destDir, sourcePath)
+	if strings.HasPrefix(targetPath, filepath.Clean(destDir)) {
+		return targetPath, nil
+	}
+
+	return "", fmt.Errorf("invalid archive path %q: escapes target directory", sourcePath)
+}
+
 func (e *Extractor) readBackup(tarRdr *tar.Reader) (string, error) {
 	dir, err := e.fs.TempDir("", "")
 	if err != nil {
@@ -84,7 +96,11 @@ func (e *Extractor) readBackup(tarRdr *tar.Reader) (string, error) {
 			return "", err
 		}

-		target := filepath.Join(dir, header.Name) //nolint:gosec // Internal usage. No need to check.
+		target, err := sanitizeArchivePath(dir, header.Name)
+		if err != nil {
+			e.log.Infof("error sanitizing archive path: %s", err.Error())
+			return "", err
+		}

 		switch header.Typeflag {
 		case tar.TypeDir:
--- a/pkg/archive/extractor_test.go
+++ b/pkg/archive/extractor_test.go
@@ -18,6 +18,7 @@ package archive

 import (
 	"archive/tar"
+	"bytes"
 	"compress/gzip"
 	"io"
 	"os"
@@ -87,6 +88,31 @@ func TestUnzipAndExtractBackup(t *testing.T) {
 	}
 }

+func TestUnzipAndExtractBackupRejectsPathTraversal(t *testing.T) {
+	ext := NewExtractor(test.NewLogger(), test.NewFakeFileSystem())
+
+	var buf bytes.Buffer
+	gzw := gzip.NewWriter(&buf)
+	tw := tar.NewWriter(gzw)
+
+	err := tw.WriteHeader(&tar.Header{
+		Name:     "../escape.txt",
+		Mode:     0600,
+		Typeflag: tar.TypeReg,
+		Size:     int64(len("data")),
+	})
+	require.NoError(t, err)
+
+	_, err = tw.Write([]byte("data"))
+	require.NoError(t, err)
+	require.NoError(t, tw.Close())
+	require.NoError(t, gzw.Close())
+
+	_, err = ext.UnzipAndExtractBackup(&buf)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "invalid archive path")
+}
+
 func createArchive(files []string, fs filesystem.Interface) (string, error) {
 	outName := "output.tar.gz"
 	out, err := fs.Create(outName)
Author	SHA1	Message	Date
Xun Jiang/Bruce Jiang	b5734a6ba2	Merge branch 'main' into xj014661/main/fix_extract_cve Some checks failed Run the E2E test on kind / get-go-version (push) Failing after 1m12s Details Run the E2E test on kind / build (push) Has been skipped Details Run the E2E test on kind / setup-test-matrix (push) Successful in 3s Details Run the E2E test on kind / run-e2e-test (push) Has been skipped Details	2026-03-20 10:59:55 +08:00
Xun Jiang	70043af85b	Add more check for file extraction from tarball. Some checks failed Run the E2E test on kind / get-go-version (push) Failing after 1m25s Details Run the E2E test on kind / build (push) Has been skipped Details Run the E2E test on kind / setup-test-matrix (push) Successful in 3s Details Run the E2E test on kind / run-e2e-test (push) Has been skipped Details Signed-off-by: Xun Jiang <xun.jiang@broadcom.com>	2026-03-13 16:42:10 +08:00
				`@@ -0,0 +1 @@`
				`Add check for file extraction from tarball.`