Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix prefix validation edge-case when extracting #715

Merged
merged 6 commits into from
Dec 18, 2024
Merged

Fix prefix validation edge-case when extracting #715

merged 6 commits into from
Dec 18, 2024

Conversation

egibs
Copy link
Member

@egibs egibs commented Dec 17, 2024
edited
Loading

I noticed that several .tar.gz files have been failing to extract:

unable to process /tmp/malcontent-4121799038/srv/gitlab/vendor/project_templates/iosswift.tar.gz: extract to temp: failed to extract /tmp/malcontent-4121799038/srv/gitlab/vendor/project_templates/iosswift.tar.gz: invalid file path: ./

Turns out, we were checking the target path for a prefix with / appended, so the check would fail (and I was reporting the header name rather than the target file name).

This PR checks for just the clean directory name instead (and we're already handling relative path traversal checks elsewhere).

With these changes:

$ go run cmd/mal/mal.go --all analyze ~/Downloads/gitlab-rails/srv/gitlab/vendor/project_templates/iosswift.tar.gz
🔎 Scanning "~/Downloads/gitlab-rails/srv/gitlab/vendor/project_templates/iosswift.tar.gz"
├─ 🟡 ~/Downloads/gitlab-rails/srv/gitlab/vendor/project_templates/iosswift.tar.gz ∴ /project.bundle [MEDIUM]
│     ≡ credential [MEDIUM]
│       🟡 sniffer/bpf — BPF (Berkeley Packet Filter): bpf
│     ≡ networking [MEDIUM]
│       🟡 tcp/ssh — Supports SSH (secure shell)
│     ≡ process [LOW]
│       🔵 chdir — changes working directory: cd B
│
├─ 🔵 ~/Downloads/gitlab-rails/srv/gitlab/vendor/project_templates/iosswift.tar.gz ∴ /tree/project.json [LOW]
│     ≡ credential [LOW]
│       🔵 password — references a 'password': require_password_to_approve
│

@egibs
Fix prefix validation edge-case when extracting
0ef7ab6 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs egibs requested a review from tstromberg December 17, 2024 16:20
tstromberg
tstromberg requested changes Dec 17, 2024
View reviewed changes
Copy link
Collaborator

@tstromberg tstromberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is subtle - nice catch! Can you add a test or testdata sample that verifies we continue to get this right?

@egibs
Copy link
Member Author

egibs commented Dec 17, 2024

This is subtle - nice catch! Can you add a test or testdata sample that verifies we continue to get this right?

Will do!

@egibs egibs mentioned this pull request Dec 17, 2024
Merged
@egibs
Copy link
Member Author

egibs commented Dec 17, 2024

This is subtle - nice catch! Can you add a test or testdata sample that verifies we continue to get this right?

Added the samples that were running into this in chainguard-dev/malcontent-samples#48.

egibs added 2 commits December 17, 2024 18:01
@egibs
Update sample commit
b5f145a 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs
Merge branch 'main' into fix-tar-gz-bug
0db078d 
Signed-off-by: Evan Gibler <20933572+egibs@users.noreply.github.com>
@egibs
Copy link
Member Author

egibs commented Dec 18, 2024
edited
Loading

I'm going to have a follow-up PR to test the new logic (it definitely works but I don't want to hold up the release).

The new sample data only contain data files, so their refreshes and tests will need to selectively use that to prevent negatively affecting other tests (otherwise they'll run afoul of the new clean <= 2 severity check). It might just be easier to add some unit tests, but TBD.

Edit: unit tests were easier 🙂

@egibs egibs requested a review from tstromberg December 18, 2024 00:06
@egibs
Move logic to new function; add tests
7e2b451 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
egibs
egibs commented Dec 18, 2024
View reviewed changes
pkg/action/archive.go
@@ -48,6 +48,11 @@ func isSupportedArchive(path string) bool {
return archiveMap[getExt(path)]
}

// isValidPath checks if the target file is within the given directory.
func isValidPath(target, dir string) bool {
Copy link
Member Author

@egibs egibs Dec 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still works as expected:

$ go run cmd/mal/mal.go --all analyze out/chainguard-dev/malcontent-samples/linux/clean/gitlab-rails/iosswift.tar.gz 
🔎 Scanning "out/chainguard-dev/malcontent-samples/linux/clean/gitlab-rails/iosswift.tar.gz"
├─ 🟡 out/chainguard-dev/malcontent-samples/linux/clean/gitlab-rails/iosswift.tar.gz ∴ /project.bundle [MEDIUM]
│     ≡ credential [MEDIUM]
│       🟡 sniffer/bpf — BPF (Berkeley Packet Filter): bpf
│     ≡ networking [MEDIUM]
│       🟡 tcp/ssh — Supports SSH (secure shell)
│     ≡ process [LOW]
│       🔵 chdir — changes working directory: cd B
│
├─ 🔵 out/chainguard-dev/malcontent-samples/linux/clean/gitlab-rails/iosswift.tar.gz ∴ /tree/project.json [LOW]
│     ≡ credential [LOW]
│       🔵 password — references a 'password': require_password_to_approve
│

egibs added 2 commits December 17, 2024 18:26
@egibs
Appease the linter
d7a19f5 
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
@egibs
Merge branch 'main' into fix-tar-gz-bug
e5fea36
@tstromberg tstromberg enabled auto-merge (squash) December 18, 2024 00:32
@tstromberg tstromberg merged commit 3db3999 into chainguard-dev:main Dec 18, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tstromberg tstromberg tstromberg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@egibs @tstromberg