Pip processes corrupt packages containing using ../ chars placing files outside target directory

[hyp3rlinx]

• Pip version: tested on pip versions 6.0.8 and 8.0.2,
• Python version: 2.7
• Operating System: Linux / Windows

Description:

pip processes invalid packages .tar/.zip archives containing "../" directory traversal chars and places package files outside of target directories even after pip complains and throws errors and aborts the install.

[RobotLimeLtd]

This has been open quite a while, and it's something Sonatype (who own Nexus) say is still present in the latest versions of Pip. For this reason, any organisation running Nexus IQ at their perimeter finds all versions of the Pip package quarantined.

Not wishing to be rude, but is there a reason it's never been fixed in 2 and a half years? I work with people who could maybe work on a patch, but I'd like to know in advance if there's some genuine blocker, or whether it's just fallen through the cracks.

[pfmoore]

Mainly just that no-one has offered a PR, I suspect. That plus the fact that we don't really offer any guarantees if you feed invalid package files to pip, so fixing this one specific issue is probably only the tip of the iceberg, and we don't have anything like the resources to provide any guarantees here.

But if you want to produce a PR, there's no reason I can see that we'd reject it.

[cjerdonek]

Is there any backwards compatibility concern here?

[wilsonfv]

i raised a PR simply add a warning message if the output tar file is placed outside of target location

[cjerdonek]

FYI, someone is working on a PR for this issue, PR #6313. However, the PR doesn't prevent files from being placed outside the target directory. It just logs a warning and says the behavior is deprecated.

Personally, I think we should simply prevent this from happening as it's a security issue and can cause data loss. What do people on this issue think?

Also, as a secondary point, if pip is already complaining by throwing an error and aborting the install as the OP said, I don't see what we gain by logging a warning on top of that.

[xavfernandez]

I agree pip should not log a warning but simply not process those files.

[pradyunsg]

Cool, let's stick with aborting.

[bytesemantics]

This issue is now affecting our Enterprise use of python - as we've adopted Sonatype IQ for vuln scanning too.

Do we have an ETA for when this fix might be merged/released ?