devscope.io

proposal: archive/tar, archive/zip: add ErrInsecurePath

golang/go

Issue

This is an alternative fix for #25849, as proposed by @dsnet in https://github.com/golang/go/issues/25849#issuecomment-396685881.

The archive/tar and archive/zip readers return unsanitized paths from archives. Careless use of these paths leads to path traversal attacks.

Proposal:

An insecure filename is an absolute path, or a path containing a relative path component (../). When tar.Reader.Next reads a file with an insecure filename, it returns tar.ErrInsecurePath. When zip.NewReader opens an archive containing an insecure filename, it returns zip.ErrInsecurePath. In both cases, the function also returns a usable object (a *tar.Header or *zip.Reader).

In the case where the caller wants to handle archives with insecure filenames, they may ignore the ErrInsecurePath error and perform whatever sanitization they find appropriate. If the caller takes no action, they get an error when processing an unsafe archive.

The advantage over automatically sanitizing filenames is that we don't silently change the semantics of archives. A tar archive may legitimately contain absolute path names; silently converting these to relative names seems more surprising than reporting an error. In addition, there isn't always an obvious sanitized name--we probably want to reject the name COM1 on Windows, but what would we rewrite it into?

2022-09-22 22:06:51


Add a Comment


Top 3 Comments

  dsnet answered on 2022-09-22 23:23:27

Using filepath does mean that whether an archive is insecure or not will depend on the platform we're executing on

I find that behavior to be fairly surprising. Suppose someone were writing a service that you can send ZIP and TAR files to and it would report whether they are "safe". I would expect the answer given by the service to be agnostic to the platform it is running on. The example might seem esoteric, but it's not that far fetched from how Gmail auto-scans attachments for viruses.

0 positive reactions.
  neild answered on 2022-09-22 23:19:32

filepath.IsAbs considers COM1 and a number of other reserved names to be absolute: https://go.googlesource.com/go/+/refs/tags/go1.19.1/src/path/filepath/path_windows.go#23

Using filepath does mean that whether an archive is insecure or not will depend on the platform we're executing on, but I think that's better than the alternatives. (On one hand, we shouldn't treat reserved names as safe on Windows; on the other hand, we shouldn't reject them elsewhere.)

0 positive reactions.
  dsnet answered on 2022-09-22 22:14:21

In addition, there isn't always an obvious sanitized name--we probably want to reject the name COM1 on Windows, but what would we rewrite it into?

It isn't clear to me whether the proposal includes returning ErrInsecurePath for a file named "COM1". I don't really see that as a security vulnerability since Windows won't let me create a file by that name anyways.

0 positive reactions.

Quick Hint

What algorithm does TextBlob use?

One of the great things about TextBlob is that it allows the user to choose an algorithm for implementation of the high-level NLP tasks: PatternAnalyzer - a default classifier that is built on the pattern library. NaiveBayesAnalyzer - an NLTK model trained on a movie reviews corpus.Oct 23, 2020

Repo Information


Age 8yrs
Vendor golang
Repo Name go
Primary Language Go
Default Branch master
Last Update 5 hours ago

Golang's Code Library

Similar Issues

πŸ’Ύ odoo [FW][FIX] point_of_sale: adapt logo for multi companies customer display πŸ’¬ 3 open πŸ—“οΈ 4 hours ago
πŸ’Ύ RSSHub θ™Žζ‰‘ πŸ’¬ 3 open πŸ—“οΈ 10 hours ago
πŸ’Ύ wp-calypso Marketplace: Update category descriptions πŸ’¬ 4 open πŸ—“οΈ 13 hours ago
πŸ’Ύ eks-distro Update go.mod files πŸ’¬ 3 open πŸ—“οΈ 15 hours ago
πŸ’Ύ amplify-category-api fix(graphql): add rds datasource v1 fix πŸ’¬ 3 open πŸ—“οΈ 17 hours ago
πŸ’Ύ cargo Use GitHubs commit API to check out the tree directly πŸ’¬ 3 open πŸ—“οΈ 18 hours ago
πŸ’Ύ RSSHub feat(route): add HelloGitHub πŸ’¬ 8 open πŸ—“οΈ 19 hours ago
πŸ’Ύ go os: document concurrency properties for File methods πŸ’¬ 3 open πŸ—“οΈ 19 hours ago