Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TarFile fails to extract even when symbolic link references into the output directory #77303

Closed
tmds opened this issue Oct 21, 2022 · 5 comments · Fixed by #77338
Closed

TarFile fails to extract even when symbolic link references into the output directory #77303

tmds opened this issue Oct 21, 2022 · 5 comments · Fixed by #77338
Labels
area-System.Formats.Tar
Milestone
8.0.0

Comments

@tmds
Copy link
Member

tmds commented Oct 21, 2022

I already have an open issue about TarFile not wanting to create symbolic links that point outside the output directory: #74140.

Triggered by #77096, I was curious to see if podman would have the same issue as docker.

I did:

$ podman pull hello-world
$ podman save hello-world -o hello-world.tar # uncompressed when saving a local image

The resulting archive fails to extract:

Unhandled exception. System.IO.IOException: Extracting the Tar entry '../8e128b102ca8161cb297e3aa73240b8e537af67422fd4c22bf43c296c91d13ad.tar' would have resulted in a link target outside the specified destination directory: '/tmp/bca4a72dc384466ab6abd59cc585bd5a'
   at System.Formats.Tar.TarEntry.GetDestinationAndLinkPaths(String destinationDirectoryPath)
   at System.Formats.Tar.TarEntry.ExtractRelativeToDirectoryAsync(String destinationDirectoryPath, Boolean overwrite, SortedDictionary`2 pendingModes, CancellationToken cancellationToken)
   at System.Formats.Tar.TarFile.ExtractToDirectoryInternalAsync(Stream source, String destinationDirectoryPath, Boolean overwriteFiles, Boolean leaveOpen, CancellationToken cancellationToken)
   at System.Formats.Tar.TarFile.ExtractToDirectoryInternalAsync(Stream source, String destinationDirectoryPath, Boolean overwriteFiles, Boolean leaveOpen, CancellationToken cancellationToken)
   at Program.<Main>$(String[] args) in /tmp/console/Program.cs:line 6
   at Program.<Main>(String[] args)

The symbolic link it considers problematic is actually still pointing inside the output directory.
These are the archive entries:

8e128b102ca8161cb297e3aa73240b8e537af67422fd4c22bf43c296c91d13ad.tar(RegularFile) -> 
c0e8b50899a56dcd91634bfbb7a8336f2c0f6f6a9bbb5ad9b747dc1547aaa9f4.json(RegularFile) -> 
00335d90e4f471aae0fdbae54765dd7a5a1cb276c55c2fc75bf64ab20c5c97d1/layer.tar(SymbolicLink) -> ../8e128b102ca8161cb297e3aa73240b8e537af67422fd4c22bf43c296c91d13ad.tar
00335d90e4f471aae0fdbae54765dd7a5a1cb276c55c2fc75bf64ab20c5c97d1/VERSION(RegularFile) -> 
00335d90e4f471aae0fdbae54765dd7a5a1cb276c55c2fc75bf64ab20c5c97d1/json(RegularFile) -> 
manifest.json(RegularFile) -> 
repositories(RegularFile) ->

cc @carlossanlop @jozkee @am11
@ghost ghost added the untriaged New issue has not been triaged by the area owner label Oct 21, 2022
@ghost
Copy link

ghost commented Oct 21, 2022

Tagging subscribers to this area: @dotnet/area-system-io
See info in area-owners.md if you want to be subscribed.

Issue Details

I already have an open issue about TarFile not wanting to create symbolic links that point outside the output directory: #74140.

Triggered by #77096, I was curious to see if podman would have the same issue as docker.

I did:

$ podman pull hello-world
$ podman save hello-world -o hello-world.tar # uncompressed when saving a local image

The resulting archive fails to extract:

Unhandled exception. System.IO.IOException: Extracting the Tar entry '../8e128b102ca8161cb297e3aa73240b8e537af67422fd4c22bf43c296c91d13ad.tar' would have resulted in a link target outside the specified destination directory: '/tmp/bca4a72dc384466ab6abd59cc585bd5a'
   at System.Formats.Tar.TarEntry.GetDestinationAndLinkPaths(String destinationDirectoryPath)
   at System.Formats.Tar.TarEntry.ExtractRelativeToDirectoryAsync(String destinationDirectoryPath, Boolean overwrite, SortedDictionary`2 pendingModes, CancellationToken cancellationToken)
   at System.Formats.Tar.TarFile.ExtractToDirectoryInternalAsync(Stream source, String destinationDirectoryPath, Boolean overwriteFiles, Boolean leaveOpen, CancellationToken cancellationToken)
   at System.Formats.Tar.TarFile.ExtractToDirectoryInternalAsync(Stream source, String destinationDirectoryPath, Boolean overwriteFiles, Boolean leaveOpen, CancellationToken cancellationToken)
   at Program.<Main>$(String[] args) in /tmp/console/Program.cs:line 6
   at Program.<Main>(String[] args)

The symbolic link it considers problematic is actually still pointing inside the output directory.
These are the archive entries:

8e128b102ca8161cb297e3aa73240b8e537af67422fd4c22bf43c296c91d13ad.tar(RegularFile) -> 
c0e8b50899a56dcd91634bfbb7a8336f2c0f6f6a9bbb5ad9b747dc1547aaa9f4.json(RegularFile) -> 
00335d90e4f471aae0fdbae54765dd7a5a1cb276c55c2fc75bf64ab20c5c97d1/layer.tar(SymbolicLink) -> ../8e128b102ca8161cb297e3aa73240b8e537af67422fd4c22bf43c296c91d13ad.tar
00335d90e4f471aae0fdbae54765dd7a5a1cb276c55c2fc75bf64ab20c5c97d1/VERSION(RegularFile) -> 
00335d90e4f471aae0fdbae54765dd7a5a1cb276c55c2fc75bf64ab20c5c97d1/json(RegularFile) -> 
manifest.json(RegularFile) -> 
repositories(RegularFile) ->

cc @carlossanlop @jozkee @am11

Author: tmds
Assignees: -
Labels:

area-System.IO, untriaged
Milestone: -

@am11
Copy link
Member

am11 commented Oct 21, 2022

This is a duplicate of #74140, right? podman-hello-world.tar can be used as a test asset when we have the fix.

@tmds
Copy link
Member Author

tmds commented Oct 21, 2022

This is a duplicate of #74140, right?

In that case, the symbolic link points outside the output directory.
Here, the symbolic target is still in the output directory.

@am11
Copy link
Member

am11 commented Oct 21, 2022

Ok, I see. It is a bug where we fail to recognize that symlink is in fact pointing to path inside the destination directory (../8e128b102ca8161cb297e3aa73240b8e537af67422fd4c22bf43c296c91d13ad.tar) and throw IOException.

@am11
Copy link
Member

am11 commented Oct 21, 2022
edited
Loading

Untested, but I think:

runtime/src/libraries/System.Formats.Tar/src/System/Formats/Tar/TarEntry.cs

Line 352 in ddebaf5

linkTargetPath = GetSanitizedFullPath(destinationDirectoryPath, LinkName);

should be: linkTargetPath = GetSanitizedFullPath(fileDestinationPath, LinkName); or linkTargetPath = GetSanitizedFullPath(Path.GetDirectoryName(fileDestinationPath), LinkName);

This was referenced Oct 22, 2022
Merged
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Oct 22, 2022
@ghost ghost removed in-pr There is an active PR which will close this issue when it is merged untriaged New issue has not been triaged by the area owner labels Nov 11, 2022
@jozkee jozkee added this to the 8.0.0 milestone Nov 17, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Dec 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Formats.Tar
Projects
None yet
Milestone
8.0.0
Development

Successfully merging a pull request may close this issue.

Fix relative symlink support in TarFile am11/runtime
4 participants
@tmds @jeffhandley @am11 @jozkee