-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix relative symlink support in TarFile #77338
Fix relative symlink support in TarFile #77338
Conversation
Tagging subscribers to this area: @dotnet/area-system-io Issue DetailsFixes #77303 Depends on dotnet/runtime-assets#280
|
c2c500d
to
533c109
Compare
@tmds, this gets us closer to tar utilities. File attributes: I noticed with GNU and BSD |
src/libraries/System.Formats.Tar/tests/TarFile/TarFile.ExtractToDirectoryAsync.Stream.Tests.cs
Show resolved
Hide resolved
If we're changing this code, I think it would be good to make a decision about #74140. |
Can you create an issue about this? |
There are two things which throw different IOExceptions:
the security concerns mentioned in #74140 apply to the first one, but the second one seems harmless given the target of symlink are normally not validated upon symlink creation (it can point to a non-existing path). |
Yes, #74140 is about the behavior being too restrictive in the second case. @jozkee @carlossanlop @jeffhandley @adamsitnik can you make a decision about the desired behavior? |
533c109
to
bb34445
Compare
@adamsitnik, currently, System.Formats.Tar allows symlink target to be inside the archive and disallows if the target is pointing to path outside the archive. So far, this PR hasn't changed the behavior. The bug appears when the symlink target is pointing to the path inside the archive with relative paths, the symlink validation ( Allowing the target of symlink to path outside the archive is a separate discussion (#74140, awaiting decision) and it can be fixed in a separate PR. |
Rather than changing this code once more, review it once more, and maybe backport it once more too, why don't we make a decision? |
Hmm, because they are separate issues: #77303 (comment).. |
Right, and this is a bug fix with accompanying tests. If decision to allow link target outside the extraction directory will take longer (#74140 is awaiting decision for some time now), we should fix this bug regardless. The code change for 74140 is straightforward, so I am fine to fix it here as well. Lets see what the area owners think about next steps. |
FWIW, it will take this change to allow target of symlinks (and hardlinks) outside the archive: am11@fae7cd2 (remove validation of link target, update two existing tests and add two additional tests for non-existing paths). |
You must also add the symlink check (see #74140) to prevent 'using' a symlink to place files outside the output directory. |
I am not sure how to produce that tar file. Do you have a test case handy which isn't failing with my change, while it should? |
This is about introducing a new check that prevents an 'evil' tar file to write files outside the output directory. You should be able to create the tar file using the .NET API. For example:
Extracting this without the check, would lead to writing to |
How exactly? |
You can use the |
Have you actually found that kind of tar file before? I am not sure how do you think it is possible to construct that tar file using the .NET API (or any other producer for that matter). That's why I asked for the test repro (or the tar file) you are talking about. |
This is a specially crafted file meant to trigger a security problem. You can't create it from file system. The |
Between #77303 and #74140, is one of the issues worth backporting while the other is not? Without the answer I think keeping them as separate PRs would allow us to nicely cherry-pick in case we choose to backport just one. |
IMO, this one is worth backporting since we currently allow symlinks within the extraction directory. The validation logic is wrong when the symlink is created with relative path; the bug this PR is fixing. It is not uncommon, e.g. in https://github.com/libunwind/libunwind/archive/refs/tags/v1.6.2.tar.gz, README is a relative symlink to README.md.
I agree. Keeping bugfixes separate from changing the (intentional) behavior is pretty normal; if not recommended. |
src/libraries/System.Formats.Tar/tests/TarFile/TarFile.CreateFromDirectory.File.Tests.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Formats.Tar/tests/TarFile/TarFile.CreateFromDirectory.File.Tests.cs
Outdated
Show resolved
Hide resolved
0350b9e
to
3753c0a
Compare
src/libraries/System.Formats.Tar/tests/TarFile/TarFile.CreateFromDirectory.File.Roundtrip.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Formats.Tar/tests/TarFile/TarFile.CreateFromDirectory.File.Roundtrip.cs
Show resolved
Hide resolved
src/libraries/System.Formats.Tar/tests/TarFile/TarFile.CreateFromDirectory.File.Roundtrip.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Formats.Tar/tests/TarFile/TarFile.CreateFromDirectory.File.Roundtrip.cs
Outdated
Show resolved
Hide resolved
src/libraries/System.Formats.Tar/tests/TarFile/TarFile.ExtractToDirectoryAsync.Stream.Tests.cs
Outdated
Show resolved
Hide resolved
118fc69
to
5b99de4
Compare
src/libraries/System.Formats.Tar/tests/TarFile/TarFile.CreateFromDirectory.File.Roundtrip.cs
Outdated
Show resolved
Hide resolved
…romDirectory.File.Roundtrip.cs Co-authored-by: David Cantú <[email protected]>
Thanks. |
/backport to release/7.0 |
Started backporting to release/7.0: https://github.com/dotnet/runtime/actions/runs/3480654764 |
Fixes #77303
Depends on dotnet/runtime-assets#280