fix: Use TarSafe for extracting backup tarball

The tarfile.extractall() command is vulnerable to path traversal, which may be exploited by adding a member with an "../" path to the tarball. In our case, this might open up the possibility of malicious data injection to someone that doesn't normally have access to the Open edX cluster, but does have write access to the S3 bucket. In that case, bad things could happen upon extraction of a thus-crafted archive, during an automated restore. This shouldn't have particularly wide-ranging implications since the only filesystem affected by such an attack would be the restore job's container, which is by definition short-lived. And an attacker with access to the S3 bucket could already do far greater damage to the Open edX installation by simply modifying the MongoDB or MySQL data contained in the tarball. Still, it does not hurt to use a safer (if slightly slower) approach that is provided by the tarsafe module. References: python/cpython#73974 https://mail.python.org/pipermail/python-dev/2007-August/074290.html https://nvd.nist.gov/vuln/detail/CVE-2007-4559
fghaas · Jan 9, 2023 · e20dcc4 · e20dcc4
1 parent 4040682
commit e20dcc4
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/tutorbackup/templates/backup/build/backup/Dockerfile b/tutorbackup/templates/backup/build/backup/Dockerfile
@@ -8,7 +8,7 @@ RUN curl -fsSL https://www.mongodb.org/static/pgp/server-4.2.asc | gpg --dearmor
     apt-get update && \
     apt-get install -y --no-install-recommends default-mysql-client mongodb-org-tools && \
     pip install --upgrade pip && \
-    pip install boto3 click && \
+    pip install boto3 click tarsafe && \
     mkdir data backup
 
 COPY backup_services.py .

diff --git a/tutorbackup/templates/backup/build/backup/restore_services.py b/tutorbackup/templates/backup/build/backup/restore_services.py
@@ -4,13 +4,13 @@
 import os
 import shutil
 import sys
-import tarfile
 from datetime import datetime
 from pathlib import Path
 from subprocess import check_call
 
 import click
 from botocore.exceptions import ClientError
+from tarsafe import TarSafe
 
 
 ENV = os.environ
@@ -98,7 +98,7 @@ def extract(file_name):
 
     logger.info(f"Extracting archive {file_name} to {out_dir}")
     try:
-        with tarfile.open(file_name, "r:xz") as tar:
+        with TarSafe.open(file_name, "r:xz") as tar:
             tar.extractall()
     except FileNotFoundError as e:
         logger.exception(e, exc_info=True)