Fixed symlink extraction handlink

Author: cmaglie

extractor.go

@@ -240,17 +240,56 @@ func (e *Extractor) Tar(ctx context.Context, body io.Reader, location string, re
 		}
 	}
 
+	if err := e.extractSymlinks(ctx, symlinks); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (e *Extractor) extractSymlinks(ctx context.Context, symlinks []*link) error {
+	var placeholders []*link
+	// remover, removeSupported := e.FS.(FSRemover)
+
 	for _, symlink := range symlinks {
 		select {
 		case <-ctx.Done():
 			return errors.New("interrupted")
 		default:
 		}
+
+		// If the symlink pointer is clean make the symlink straighaway
+		if clean := filepath.Clean(symlink.Name); !strings.Contains(clean, "..") && !filepath.IsAbs(clean) {
+			_ = e.FS.Remove(symlink.Path)
+			if err := e.FS.Symlink(symlink.Name, symlink.Path); err != nil {
+				return errors.Annotatef(err, "Create link %s", symlink.Path)
+			}
+		} else {
+			// Otherwise make a placeholder and replace it after unpacking everything
+			_ = e.FS.Remove(symlink.Path)
+			f, err := e.FS.OpenFile(symlink.Path, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, os.FileMode(0666))
+			if err != nil {
+				return fmt.Errorf("creating symlink placeholder %s: %w", symlink.Path, err)
+			}
+			if err := f.Close(); err != nil {
+				return fmt.Errorf("creating symlink placeholder %s: %w", symlink.Path, err)
+			}
+			placeholders = append(placeholders, symlink)
+		}
+	}
+
+	for _, symlink := range placeholders {
+		select {
+		case <-ctx.Done():
+			return errors.New("interrupted")
+		default:
+		}
 		_ = e.FS.Remove(symlink.Path)
 		if err := e.FS.Symlink(symlink.Name, symlink.Path); err != nil {
 			return errors.Annotatef(err, "Create link %s", symlink.Path)
 		}
 	}
+
 	return nil
 }
 
@@ -343,17 +382,8 @@ func (e *Extractor) Zip(ctx context.Context, body io.Reader, location string, re
 		}
 	}
 
-	// Now we make another pass creating the links
-	for _, link := range links {
-		select {
-		case <-ctx.Done():
-			return errors.New("interrupted")
-		default:
-		}
-		_ = e.FS.Remove(link.Path)
-		if err := e.FS.Symlink(link.Name, link.Path); err != nil {
-			return errors.Annotatef(err, "Create link %s", link.Path)
-		}
+	if err := e.extractSymlinks(ctx, links); err != nil {
+		return err
 	}
 
 	return nil

extractor_test.go

@@ -1,6 +1,8 @@
 package extract_test
 
 import (
+	"archive/tar"
+	"archive/zip"
 	"bytes"
 	"context"
 	"fmt"
@@ -113,6 +115,128 @@ func TestZipSlipHardening(t *testing.T) {
 	})
 }
 
+func mkTempDir(t *testing.T) *paths.Path {
+	tmp, err := paths.MkTempDir("", "test")
+	require.NoError(t, err)
+	t.Cleanup(func() { tmp.RemoveAll() })
+	return tmp
+}
+
+func TestSymLinkMazeHardening(t *testing.T) {
+	addTarSymlink := func(t *testing.T, tw *tar.Writer, new, old string) {
+		err := tw.WriteHeader(&tar.Header{
+			Mode: 0o0777, Typeflag: tar.TypeSymlink, Name: new, Linkname: old,
+		})
+		require.NoError(t, err)
+	}
+	addZipSymlink := func(t *testing.T, zw *zip.Writer, new, old string) {
+		h := &zip.FileHeader{Name: new, Method: zip.Deflate}
+		h.SetMode(os.ModeSymlink)
+		w, err := zw.CreateHeader(h)
+		require.NoError(t, err)
+		_, err = w.Write([]byte(old))
+		require.NoError(t, err)
+	}
+
+	t.Run("TarWithSymlinkToAbsPath", func(t *testing.T) {
+		// Create target dir
+		tmp := mkTempDir(t)
+		targetDir := tmp.Join("test")
+		require.NoError(t, targetDir.Mkdir())
+
+		// Make a tar archive with symlink maze
+		outputTar := bytes.NewBuffer(nil)
+		tw := tar.NewWriter(outputTar)
+		addTarSymlink(t, tw, "aaa", tmp.String())
+		addTarSymlink(t, tw, "aaa/sym", "something")
+		require.NoError(t, tw.Close())
+
+		// Run extract
+		extractor := extract.Extractor{FS: &LoggingFS{}}
+		require.Error(t, extractor.Tar(context.Background(), outputTar, targetDir.String(), nil))
+		require.NoFileExists(t, tmp.Join("sym").String())
+	})
+
+	t.Run("ZipWithSymlinkToAbsPath", func(t *testing.T) {
+		// Create target dir
+		tmp := mkTempDir(t)
+		targetDir := tmp.Join("test")
+		require.NoError(t, targetDir.Mkdir())
+
+		// Make a zip archive with symlink maze
+		outputZip := bytes.NewBuffer(nil)
+		zw := zip.NewWriter(outputZip)
+		addZipSymlink(t, zw, "aaa", tmp.String())
+		addZipSymlink(t, zw, "aaa/sym", "something")
+		require.NoError(t, zw.Close())
+
+		// Run extract
+		extractor := extract.Extractor{FS: &LoggingFS{}}
+		err := extractor.Zip(context.Background(), outputZip, targetDir.String(), nil)
+		require.NoFileExists(t, tmp.Join("sym").String())
+		require.Error(t, err)
+	})
+
+	t.Run("TarWithSymlinkToRelativeExternalPath", func(t *testing.T) {
+		// Create target dir
+		tmp := mkTempDir(t)
+		targetDir := tmp.Join("test")
+		require.NoError(t, targetDir.Mkdir())
+		checkDir := tmp.Join("secret")
+		require.NoError(t, checkDir.MkdirAll())
+
+		// Make a tar archive with regular symlink maze
+		outputTar := bytes.NewBuffer(nil)
+		tw := tar.NewWriter(outputTar)
+		addTarSymlink(t, tw, "aaa", "../secret")
+		addTarSymlink(t, tw, "aaa/sym", "something")
+		require.NoError(t, tw.Close())
+
+		extractor := extract.Extractor{FS: &LoggingFS{}}
+		require.Error(t, extractor.Tar(context.Background(), outputTar, targetDir.String(), nil))
+		require.NoFileExists(t, checkDir.Join("sym").String())
+	})
+
+	t.Run("TarWithSymlinkToInternalPath", func(t *testing.T) {
+		// Create target dir
+		tmp := mkTempDir(t)
+		targetDir := tmp.Join("test")
+		require.NoError(t, targetDir.Mkdir())
+
+		// Make a tar archive with regular symlink maze
+		outputTar := bytes.NewBuffer(nil)
+		tw := tar.NewWriter(outputTar)
+		require.NoError(t, tw.WriteHeader(&tar.Header{Mode: 0o0777, Typeflag: tar.TypeDir, Name: "tmp"}))
+		addTarSymlink(t, tw, "aaa", "tmp")
+		addTarSymlink(t, tw, "aaa/sym", "something")
+		require.NoError(t, tw.Close())
+
+		extractor := extract.Extractor{FS: &LoggingFS{}}
+		require.NoError(t, extractor.Tar(context.Background(), outputTar, targetDir.String(), nil))
+		require.FileExists(t, targetDir.Join("tmp", "sym").String())
+	})
+
+	t.Run("TarWithSymlinkToExternalPathWithoutMazing", func(t *testing.T) {
+		// Create target dir
+		tmp := mkTempDir(t)
+		targetDir := tmp.Join("test")
+		require.NoError(t, targetDir.Mkdir())
+
+		// Make a tar archive with valid symlink maze
+		outputTar := bytes.NewBuffer(nil)
+		tw := tar.NewWriter(outputTar)
+		require.NoError(t, tw.WriteHeader(&tar.Header{Mode: 0o0777, Typeflag: tar.TypeDir, Name: "tmp"}))
+		addTarSymlink(t, tw, "aaa", "../tmp")
+		require.NoError(t, tw.Close())
+
+		extractor := extract.Extractor{FS: &LoggingFS{}}
+		require.NoError(t, extractor.Tar(context.Background(), outputTar, targetDir.String(), nil))
+		st, err := targetDir.Join("aaa").Lstat()
+		require.NoError(t, err)
+		require.Equal(t, "aaa", st.Name())
+	})
+}
+
 // MockDisk is a disk that chroots to a directory
 type MockDisk struct {
 	Base string

loggingfs_test.go

@@ -17,59 +17,84 @@ type LoggedOp struct {
 	OldPath string
 	Mode    os.FileMode
 	Flags   int
+	Err     error
 }
 
 func (op *LoggedOp) String() string {
+	res := ""
 	switch op.Op {
 	case "link":
-		return fmt.Sprintf("link     %s -> %s", op.Path, op.OldPath)
+		res += fmt.Sprintf("link     %s -> %s", op.Path, op.OldPath)
 	case "symlink":
-		return fmt.Sprintf("symlink  %s -> %s", op.Path, op.OldPath)
+		res += fmt.Sprintf("symlink  %s -> %s", op.Path, op.OldPath)
 	case "mkdirall":
-		return fmt.Sprintf("mkdirall %v %s", op.Mode, op.Path)
+		res += fmt.Sprintf("mkdirall %v %s", op.Mode, op.Path)
 	case "open":
-		return fmt.Sprintf("open     %v %s (flags=%04x)", op.Mode, op.Path, op.Flags)
+		res += fmt.Sprintf("open     %v %s (flags=%04x)", op.Mode, op.Path, op.Flags)
 	case "remove":
-		return fmt.Sprintf("remove   %v", op.Path)
+		res += fmt.Sprintf("remove   %v", op.Path)
+	default:
+		panic("unknown LoggedOP " + op.Op)
+	}
+	if op.Err != nil {
+		res += " error: " + op.Err.Error()
+	} else {
+		res += " success"
 	}
-	panic("unknown LoggedOP " + op.Op)
+	return res
 }
 
 func (m *LoggingFS) Link(oldname, newname string) error {
-	m.Journal = append(m.Journal, &LoggedOp{
+	err := os.Link(oldname, newname)
+	op := &LoggedOp{
 		Op:      "link",
 		OldPath: oldname,
 		Path:    newname,
-	})
-	return os.Link(oldname, newname)
+		Err:     err,
+	}
+	m.Journal = append(m.Journal, op)
+	fmt.Println("FS>", op)
+	return err
 }
 
 func (m *LoggingFS) MkdirAll(path string, perm os.FileMode) error {
-	m.Journal = append(m.Journal, &LoggedOp{
+	err := os.MkdirAll(path, perm)
+	op := &LoggedOp{
 		Op:   "mkdirall",
 		Path: path,
 		Mode: perm,
-	})
-	return os.MkdirAll(path, perm)
+		Err:  err,
+	}
+	m.Journal = append(m.Journal, op)
+	fmt.Println("FS>", op)
+	return err
 }
 
 func (m *LoggingFS) Symlink(oldname, newname string) error {
-	m.Journal = append(m.Journal, &LoggedOp{
+	err := os.Symlink(oldname, newname)
+	op := &LoggedOp{
 		Op:      "symlink",
 		OldPath: oldname,
 		Path:    newname,
-	})
-	return os.Symlink(oldname, newname)
+		Err:     err,
+	}
+	m.Journal = append(m.Journal, op)
+	fmt.Println("FS>", op)
+	return err
 }
 
 func (m *LoggingFS) OpenFile(name string, flags int, perm os.FileMode) (*os.File, error) {
-	m.Journal = append(m.Journal, &LoggedOp{
+	f, err := os.OpenFile(name, flags, perm)
+	op := &LoggedOp{
 		Op:    "open",
 		Path:  name,
 		Mode:  perm,
 		Flags: flags,
-	})
-	return os.OpenFile(os.DevNull, flags, perm)
+		Err:   err,
+	}
+	m.Journal = append(m.Journal, op)
+	fmt.Println("FS>", op)
+	return f, err
 }
 
 func (m *LoggingFS) Remove(path string) error {