path/filepath: Join is susceptible to SlipZip #40373
Comments
mdlayher
changed the title
|
Actually, I expected that from A workaround would be |
|
I, for one, expect Some applications might want different semantics. That's fine. They can implement their own version of It's possible the documentation could be improved. I'll note that In any case, the Side note: there are many ways to escape a directory; |
|
OneOfOne, your example is precisely the example as posted above. magical, your answer is appreciated, I had a feeling I'd get that reaction. We'll fix it in u-root. I'll leave this open to see if anyone else has a better idea. |
cagedmantis
added
the
NeedsInvestigation
|
This comes up from time to time and indeed we should do something about it, although it's not clear what. Last time it was someone surprised that (To be clear, we can't change the behavior of neither |
|
Perhaps the path.Join and path/filepath.Join examples should be expanded to at least include an example or two of how ".." behaves? |
|
I can send a CL to add examples. |
|
Change https://golang.org/cl/249177 mentions this issue: |
People sometimes expect Join to trim .. components from its arguments before joining, and are surprised that it doesn't. This is bad if they were relying on that assumed behaviour to prevent directory traversal attacks. While a careful reading of the documentation for Join and Clean might dispel this notion, it is not obvious at first glance. Add a case to the examples to nudge people in the right direction. Updates #40373 Change-Id: Ib5792c12ba1000811a0c0eb77048196d0b26da60 Reviewed-on: https://go-review.googlesource.com/c/go/+/249177 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Rob Pike <r@golang.org>
|
I submitted a couple examples. @rminnich does that help? Anything left to do here? |
|
The examples can be seen here: https://tip.golang.org/pkg/path/#example_Join |
|
looking at this, since the CVE is still open and GitHub complains about using a vulnerable dependency in some other projects. Would https://github.com/cyphar/filepath-securejoin help here? By replacing every call to |
|
@magical The examples look good, though I wonder if there should be a note in the description as well. Perhaps something like
|
Edit: moved from issue title to body for hyperlink: https://snyk.io/research/zip-slip-vulnerability
The u-root project has several programs that unarchive files -- cpio, tar, zip, etc.
A few weeks ago we were notified that we are vulnerable to something called ZipSlip. It's a simple enough problem: archives containing paths with .. can end up in unexpected places.
e.g., I am in /bin, and I unpack a cpio, I expect things to end up /bin, and they end up in /home/rminnich/bin/wildthing
This is an easy thing to fix: given a root, base, and a path, p: filepath.Join("/some/place", filepath.Join("/", p))
I can contain the files to base.
The bigger question: do people in general expect that for filepath.Join, things won't creep out of the first directory argument to other places? 3 different people wrote 3 different tools on u-root and missed this, I think because they assumed that everything stayed under path.
This seems like an accident waiting to happen, save that it already did.
Should filepath.Join be changed, or maybe we need a filepath.BaseJoin which guarantees things stay inside the base?
I can fix this for the 3 programs in question, but I'm wondering if it really belongs in the go runtime instead.
What version of Go are you using (
go version)?Does this issue reproduce with the latest release?
Repros on every release since filepath.Join was written.
What operating system and processor architecture are you using (
go env)?Does not matter -- it's a filepath question
What did you do?
What did you expect to see?
people don't expect to see files creep out of the target directory. Arguably it's a defect of the program, and a bad assumption on the part of the author(s), but still ...
What did you see instead?
We got a CVE ;-)
The text was updated successfully, but these errors were encountered: