Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary file write during tarfile extraction in luigi/contrib/sge_runner.py #3301

Closed
Ali-Razmjoo opened this issue Aug 24, 2024 · 1 comment

Comments

@Ali-Razmjoo
Copy link
Contributor

Ali-Razmjoo commented Aug 24, 2024

Hi,

I am reporting a potential security issue with arbitrary file write during tarfile extraction in

https://github.com/spotify/luigi/blob/master/luigi/contrib/sge_runner.py#L67-L70

Extracting files from a malicious tar archive without validating that the destination file path is within the destination directory can cause files outside the destination directory to be overwritten, due to the possible presence of directory traversal elements (..) in archive paths.

  • ..\malicious_file
  • c:\malicious_file
  • /etc/passwd

Recommendation

with tarfile.open(sys.argv[1]) as tar:
    for entry in tar:
        #GOOD: Check that entry is safe
        if os.path.isabs(entry.name) or ".." in entry.name:
            raise ValueError("Illegal tar archive entry")
        tar.extract(entry, "/tmp/unpack/")

References

@Ali-Razmjoo
Copy link
Contributor Author

fixed in #3309

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant