From patchwork Mon Feb 11 22:22:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 1040181 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=korsgaard.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="dJpLTPUz"; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43z0dr4wn2z9sCh for ; Tue, 12 Feb 2019 09:22:24 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 56C8A86749; Mon, 11 Feb 2019 22:22:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vJekd4gMrcBu; Mon, 11 Feb 2019 22:22:21 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id F2441865C4; Mon, 11 Feb 2019 22:22:20 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 133A11BF388 for ; Mon, 11 Feb 2019 22:22:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 0F25E85BB8 for ; Mon, 11 Feb 2019 22:22:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jer9OGm_g_YA for ; Mon, 11 Feb 2019 22:22:19 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ed1-f68.google.com (mail-ed1-f68.google.com [209.85.208.68]) by fraxinus.osuosl.org (Postfix) with ESMTPS id BB12A85BCD for ; Mon, 11 Feb 2019 22:22:18 +0000 (UTC) Received: by mail-ed1-f68.google.com with SMTP id r15so446353eds.9 for ; Mon, 11 Feb 2019 14:22:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id; bh=YWnJmiwvWYI4lVQQgJ8qBaL61iJKz5oFw0lmc/V7tj4=; b=dJpLTPUzvdHhEwo74pi3AizgOYYXXKsgKWaoh1qyEEOMqdT6FePAYHGf3o9c4LjSfp foiBrauMJ0Yjp52cSsWaUtGA0v6dVRvKZrAmR0QcPCLfCXg/jxZtfimZO6/Ax1jpE+TY S2P+NBxHnJEA4zp8vuvHnqcGn4Gr2ZtP2N5NcLVnx7cMF2nPf6CqtqUAF/nzOFsrY7nP oDUp1eLseOOfEZeZc2kqOQpSYH1Lr5akeXmaCo37wFkgF/XH0NUv471SZ3aJynMaAyTs SgOpm7Vs/+v7CQVD1ihAUqCpXQy5/ht6VEPpFr3tQZnSQH21OZikvXetcYBltOE+oBec kr+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=YWnJmiwvWYI4lVQQgJ8qBaL61iJKz5oFw0lmc/V7tj4=; b=lrOFx7ArUvvcs3KrdmzOu85CwwHQs2NVDZQvQCBaoDME2KFY9PXjPqmlFPxvnTU8iK nDxCE5daM7Z9IP4cLC0avQgQ3jaHc4gsnPmaa82tOEMJa6VH2mxO8AIj12x4cEuR2QHt liizV94aYT+ALzPFWKx3XcV6MhLrlPRkSQLPzGrVfpdmAqxg8LH4Vj2SfF5CL5nAayey xBpox/0pqYUjBlRhmENuZgylE7aT252qGDsNnUcqT2Ch8qdUObh+e0OwZJqdHlvhPFaU f/BbA0D5EnIEiRw68bo392rLNQqCzbTJ/Sh56v1m4miNuKRZUvjk6YWAiP4gDns10Qyz 7dlg== X-Gm-Message-State: AHQUAuboM7EruGG3qA3bgsZ+NGfNSDR1LJCi3rLNT0KBuf9kCwx/82hP n5SPY3yetzcMDruWK7B+Y4ZiI6+V X-Google-Smtp-Source: AHgI3IYoBbr0JVMoIZOuUT3pB41es5yUx3M9eIpwp0wSu4MnK3K+/rsdbXtn3byPDLwnLbpAqDV3rg== X-Received: by 2002:a50:c946:: with SMTP id p6mr366459edh.0.1549923736694; Mon, 11 Feb 2019 14:22:16 -0800 (PST) Received: from dell.be.48ers.dk (d51A5BC31.access.telenet.be. [81.165.188.49]) by smtp.gmail.com with ESMTPSA id k3sm2652703ejx.22.2019.02.11.14.22.15 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 11 Feb 2019 14:22:15 -0800 (PST) Received: from peko by dell.be.48ers.dk with local (Exim 4.89) (envelope-from ) id 1gtJxu-0002pM-Q7; Mon, 11 Feb 2019 23:22:14 +0100 From: Peter Korsgaard To: buildroot@buildroot.org Date: Mon, 11 Feb 2019 23:22:02 +0100 Message-Id: <20190211222202.10786-1-peter@korsgaard.com> X-Mailer: git-send-email 2.11.0 Subject: [Buildroot] [PATCH] utils/scanpypi: protect against zip-slip vulnerability in zip/tar handling X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: security-reports@semmle.com, Peter Korsgaard MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" For details, see https://github.com/snyk/zip-slip-vulnerability Older python versions do not validate that the extracted files are inside the target directory. Detect and error out on evil paths before extracting .zip / .tar file. Given the scope of this (zip issue was fixed in python 2.7.4, released 2013-04-06, scanpypi is only used by a developer when adding a new python package), the security impact is fairly minimal, but it is good to get it fixed anyway. Reported-by: Bas van Schaik Signed-off-by: Peter Korsgaard Reviewed-by: "Yann E. MORIN" --- utils/scanpypi | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/utils/scanpypi b/utils/scanpypi index a75d696222..bdce6924b6 100755 --- a/utils/scanpypi +++ b/utils/scanpypi @@ -225,6 +225,22 @@ class BuildrootPackage(): self.filename = self.used_url['filename'] self.url = self.used_url['url'] + def check_archive(self, members): + """ + Check archive content before extracting + + Keyword arguments: + members -- list of archive members + """ + # Protect against https://github.com/snyk/zip-slip-vulnerability + # Older python versions do not validate that the extracted files are + # inside the target directory. Detect and error out on evil paths + evil = [e for e in members if os.path.relpath(e).startswith(('/', '..'))] + if evil: + print('ERROR: Refusing to extract {} with suspicious members {}'.format( + self.filename, evil)) + sys.exit(1) + def extract_package(self, tmp_path): """ Extract the package contents into a directrory @@ -249,6 +265,7 @@ class BuildrootPackage(): print('Removing {pkg}...'.format(pkg=tmp_pkg)) shutil.rmtree(tmp_pkg) os.makedirs(tmp_pkg) + self.check_archive(as_zipfile.namelist()) as_zipfile.extractall(tmp_pkg) pkg_filename = self.filename.split(".zip")[0] else: @@ -264,6 +281,7 @@ class BuildrootPackage(): print('Removing {pkg}...'.format(pkg=tmp_pkg)) shutil.rmtree(tmp_pkg) os.makedirs(tmp_pkg) + self.check_archive(as_tarfile.getnames()) as_tarfile.extractall(tmp_pkg) pkg_filename = self.filename.split(".tar")[0]