Security: fix Windows backslash traversal in symlink checks, rename constant

claude · ben-edna · commit a5285cd25b40 · 2026-03-31T10:17:34.000+02:00
- archive.py: extract _is_unsafe_symlink_target() helper that checks both PurePosixPath and PureWindowsPath so targets like "..\\..\\evil" are caught on any host OS; apply it to both _check_zip_member_type and _check_tar_member_type, removing the duplicated inline check. Rename _MAX_SYMLINK_TARGET → max_symlink_target to satisfy pylint C0103 (local variable vs. module-level constant naming convention). - test_archive.py: add Windows-backslash traversal cases for both ZIP (test_check_zip_members_symlink_windows_dotdot_target) and TAR (test_check_tar_member_type_windows_dotdot_symlink). https://claude.ai/code/session_01CxKrTZekNRCoSD9PSMekQZ
diff --git a/dfetch/vcs/archive.py b/dfetch/vcs/archive.py
@@ -366,6 +366,23 @@ def check_zip_members(zf: zipfile.ZipFile) -> list[zipfile.ZipInfo]:
             ArchiveLocalRepo._check_zip_member_type(info, zf)
         return members
 
+    @staticmethod
+    def _is_unsafe_symlink_target(target: str) -> bool:
+        """Return *True* when *target* is an unsafe symlink destination.
+
+        A target is unsafe if it is absolute or contains ``..`` components
+        under either POSIX or Windows path semantics, so that backslash-based
+        traversals like ``..\\..\\evil`` are caught on any host OS.
+        """
+        posix = pathlib.PurePosixPath(target)
+        win = pathlib.PureWindowsPath(target)
+        return (
+            posix.is_absolute()
+            or win.is_absolute()
+            or any(part == ".." for part in posix.parts)
+            or any(part == ".." for part in win.parts)
+        )
+
     @staticmethod
     def _check_zip_member_type(info: zipfile.ZipInfo, zf: zipfile.ZipFile) -> None:
         """Reject dangerous ZIP member types (mirrors :meth:`_check_tar_member_type`).
@@ -377,20 +394,18 @@ def _check_zip_member_type(info: zipfile.ZipInfo, zf: zipfile.ZipFile) -> None:
         Raises:
             RuntimeError: When *info* is a symlink with an unsafe target.
         """
-        _MAX_SYMLINK_TARGET = 4096
+        max_symlink_target = 4096
         unix_mode = info.external_attr >> 16
         if stat.S_ISLNK(unix_mode):
             with zf.open(info) as member_file:
-                raw = member_file.read(_MAX_SYMLINK_TARGET + 1)
-            if len(raw) > _MAX_SYMLINK_TARGET:
+                raw = member_file.read(max_symlink_target + 1)
+            if len(raw) > max_symlink_target:
                 raise RuntimeError(
                     f"Archive contains a symlink with an oversized target: "
                     f"{info.filename!r}"
                 )
             target = raw.decode(errors="replace")
-            if os.path.isabs(target) or any(
-                part == ".." for part in pathlib.PurePosixPath(target).parts
-            ):
+            if ArchiveLocalRepo._is_unsafe_symlink_target(target):
                 raise RuntimeError(
                     f"Archive contains a symlink with an unsafe target: "
                     f"{info.filename!r} -> {target!r}"
@@ -422,9 +437,7 @@ def _check_tar_member_type(member: tarfile.TarInfo) -> None:
         """
         if member.issym():
             target = member.linkname
-            if os.path.isabs(target) or any(
-                part == ".." for part in pathlib.PurePosixPath(target).parts
-            ):
+            if ArchiveLocalRepo._is_unsafe_symlink_target(target):
                 raise RuntimeError(
                     f"Archive contains a symlink with an unsafe target: "
                     f"{member.name!r} -> {target!r}"
diff --git a/tests/test_archive.py b/tests/test_archive.py
@@ -162,6 +162,13 @@ def test_check_zip_members_symlink_dotdot_target():
         _check_zip_members(zf)
 
 
+def test_check_zip_members_symlink_windows_dotdot_target():
+    """ZIP symlink with Windows-style backslash traversal must be rejected."""
+    zf = _make_zip_with_symlink("link", "..\\..\\evil")
+    with pytest.raises(RuntimeError, match="symlink"):
+        _check_zip_members(zf)
+
+
 def test_check_zip_members_symlink_safe_relative():
     """ZIP symlink with a safe relative target must be accepted (mirrors TAR behaviour)."""
     zf = _make_zip_with_symlink("link", "relative/safe/target")
@@ -268,6 +275,14 @@ def test_check_tar_member_type_dotdot_symlink():
         _check_tar_member_type(member)
 
 
+def test_check_tar_member_type_windows_dotdot_symlink():
+    """TAR symlink with Windows-style backslash traversal must be rejected."""
+    tf = _make_tar_with_member(lambda t: _add_symlink(t, "link", "..\\..\\evil"))
+    member = tf.getmembers()[0]
+    with pytest.raises(RuntimeError, match="unsafe target"):
+        _check_tar_member_type(member)
+
+
 # ---------------------------------------------------------------------------
 # _check_tar_member_type — hardlink validation
 # ---------------------------------------------------------------------------
