Fix #3907 tar file placed outside of target location #6313
Conversation
pradyunsg
added
S: awaiting response
|
If we detect a file being written outside of the location, I think we should fail rather than warn. |
we could fail it immediately, i am just not sure if its a bug or a design issue so just a warning in case i break anything we could roll out this changes if no further complain, we can then fail it in next release |
pradyunsg
removed
the
S: awaiting response
|
Since this is broken behavior and also a security issue, I think we should simply prevent this from happening if we're already going to the trouble of detecting it. Also, if you read the original report, it said,
Especially if pip is already erroring out, it seems like it doesn't really help things to log a warning in addition to the error. Pip is already throwing an error. |
|
By the way, when I asked about possible backwards compatibility concerns on the original issue, I was also thinking about things like paths that might resolve to something within the target directory, but that contained |
I agree. |
Let's do this then. :D |
|
Hello! I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the |
|
One thing I would like to see as part of this PR is a helper function to create a zip file containing files with given paths. Then, there can be two tests of And similarly for a tar file. I think this would provide better assurance that the check is working correctly than just testing the correctness of a helper function used inside |
this is now a breaking behavior |
|
I had suggested creating a helper function to create the zip and tar files, and also including the success case and not just the failure case. I think it’s better not to check in binary files, especially if it’s easy to avoid. |
The existing test_unpack_tgz and test_unpack_zip already validate the successful cases |
|
Not with the helper function I’m suggesting that you create. I think it’s important to have a test case to show that the zip files it creates are valid. It won’t even be any extra work. Just calling the same test function but with a different input argument. |
Sorry, I am not sure what you mean. There seems to be no existing test case that creates a zip file |
|
Yes, that’s why I said the function needs to be created. Python’s zipfile module provides that ability: https://docs.python.org/3/library/zipfile.html |
cjerdonek
added
type: bug
We have prepared the zip files in the data package for the test cases. I do not see creating a zip file at run time make any difference |
|
There are a number of differences. Some of the advantages of doing it at runtime are — We don’t need to check in binary files, which I want to avoid if we can. There’s no easy way for reviewers to review the contents of a binary file or know by looking at it what properties it has. It’s harder to update a binary file if we need to make changes to it. Binary also makes it harder to create more test cases: with runtime you can test whatever paths or properties you need to very easily. For example, maybe we want to test different types of characters in the file names in addition to “..”, or paths containing “..” that resolve to inside the target. There are different test cases even with this particular bug alone. |
|
@cjerdonek @pradyunsg please review changes |
wilsonfv
force-pushed
the
master
branch
2 times, most recently
from
d1b33ae to
7365cff
Compare
There was a problem hiding this comment.
Sorry if I'm missing something - I see several comments and some discussion about zip file test helpers and other higher-level tests (which is what I was going to comment on for this PR), but the diff for all commits only shows tests of is_within_directory. Is this expected, or are there tests/changes missing?
|
Hmm, I seem to remember there being issues with some of the rebases. The code from before isn't present anymore. :( @wilsonfv, do you have your old commits? If not, we could try to help you restore those using Git's reflog. |
|
Some portions of the previous code are visible if you click to expand the (outdated) comments of the previous iterations. |
|
If you expand the unchanged sections of |
|
Hello! I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the |
|
Guys? can you please merge this? pip is continually blocked by security tooling because of this silly little bug. It will make a lot of people's live's easier if it's merged before poor Wilson has to do another load of work to keep the PR in line! Thanks! |
|
Hello! I am an automated bot and I have noticed that this pull request is not currently able to be merged. If you are able to either merge the |
|
Rebased and addressed review comments. IMO this can be merged once the checks pass. |
|
I reviewed the existing comments and believe all of them have been addressed, so I will merge this. If I missed anything, we can definitely address it in a follow up. Thanks @wilsonfv for your time and patience. :) We greatly appreciate your contribution. |
lock
bot
added
the
auto-locked
Add a warning if one of the tar file will be placed outside of target location causing potential security issue.
Fixes #3907.