From a34c9eb6928b0d05fb059aa7775a2381f83084f3 Mon Sep 17 00:00:00 2001
From: Tudor Golubenco <tudor@elastic.co>
Date: Wed, 2 May 2018 18:19:25 +0200
Subject: [PATCH] Ensure the dashboard zip is sane (#6921)

* Ensure the dashboard zip is sane

This adds a check that all files from the dashboard zip file
are pointing to the right target, and don't override other configs.

* changelog

* addressed comment
---
 CHANGELOG.asciidoc             |  1 +
 libbeat/dashboards/importer.go | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
index 0c831074d947..afefbf9ffbf4 100644
--- a/CHANGELOG.asciidoc
+++ b/CHANGELOG.asciidoc
@@ -54,6 +54,7 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di
 - Fix for kafka logger. {pull}6430[6430]
 - Remove double slashes in Windows service script. {pull}6491[6491]
 - Ensure Kubernetes labels/annotations don't break mapping {pull}6490[6490]
+- Ensure that the dashboard zip files can't contain files outside of the kibana directory. {pull}6921[6921]
 
 *Auditbeat*
 
diff --git a/libbeat/dashboards/importer.go b/libbeat/dashboards/importer.go
index f2f26b492c09..a3027641652a 100644
--- a/libbeat/dashboards/importer.go
+++ b/libbeat/dashboards/importer.go
@@ -119,6 +119,16 @@ func (imp Importer) unzip(archive, target string) error {
 	unzipFile := func(file *zip.File) error {
 		filePath := filepath.Join(target, file.Name)
 
+		// check that the resulting file path is indeed under target
+		// Note that Rel calls Clean.
+		relPath, err := filepath.Rel(target, filePath)
+		if err != nil {
+			return err
+		}
+		if strings.HasPrefix(filepath.ToSlash(relPath), "../") {
+			return fmt.Errorf("Zip file contains files outside of the target directory: %s", relPath)
+		}
+
 		if file.FileInfo().IsDir() {
 			return os.MkdirAll(filePath, file.Mode())
 		}