CVE fix for 'safe extract' tar is covered by filter
Some checks failed
Build empanada images for imagefactory / buildx (push) Failing after 5s
Build empanada container images for lorax / buildx (push) Successful in 1s

This commit is contained in:
Louis Abel 2024-08-13 22:24:41 -07:00
parent 8ce5f69772
commit e2ae0f8630
Signed by: label
GPG Key ID: 2A6975660E424560

View File

@ -1214,6 +1214,8 @@ class Shared:
def tar_is_within_directory(directory, target): def tar_is_within_directory(directory, target):
""" """
CVE-2007-4559 CVE-2007-4559
Function is obsolete. Will be removed in a future version.
""" """
abs_directory = os.path.abspath(directory) abs_directory = os.path.abspath(directory)
abs_target = os.path.abspath(target) abs_target = os.path.abspath(target)
@ -1223,19 +1225,14 @@ class Shared:
@staticmethod @staticmethod
def tar_safe_extractall(tar, def tar_safe_extractall(tar,
path=".", path=".",
members=None,
*, *,
numeric_owner=False numeric_owner=False
): ):
""" """
CVE-2007-4559 CVE-2007-4559 is addressed by setting filter='tar'. This function will
remain here to reduce changes to utilities.
""" """
for member in tar.getmembers(): tar.extractall(path=path, numeric_owner=numeric_owner, filter='tar')
member_path = os.path.join(path, member.name)
if not Shared.tar_is_within_directory(path, member_path):
raise Exception("Path traversal attempted in tar file")
tar.extractall(path=path, members=members, numeric_owner=numeric_owner)
@staticmethod @staticmethod
def dnf_sync(repo, sync_root, work_root, arch, logger): def dnf_sync(repo, sync_root, work_root, arch, logger):