Implemented handling of symlinks into tgz

Author: andsel

lib/bootstrap/util/compress.rb

@@ -78,6 +78,13 @@ def extract(file, target)
 
               if entry.directory?
                 FileUtils.mkdir_p(target_path)
+              elsif entry.symlink?
+                linkname = entry.header.linkname
+                unless LogStash::Util.symlink_target_safe?(linkname, target_path, target)
+                  raise CompressError.new("Refusing to extract symlink with unsafe target: #{entry.full_name} -> #{linkname}. Symlink target must remain inside extraction directory.")
+                end
+                FileUtils.mkdir_p(::File.dirname(target_path))
+                ::File.symlink(linkname, target_path)
               else # is a file to be extracted
                 ::File.open(target_path, "wb") { |f| f.write(entry.read) }
               end
@@ -134,14 +141,32 @@ def gzip(path, target_file)
       end
     end
 
-    # Verifies that a path string is safe for extraction (relative, no `..` traversal).
+    # Returns true if a symlink target (linkname) would resolve to a path under extraction_root
+    # when the symlink is created at symlink_path. Works on both Unix and Windows.
+    # @param linkname [String] symlink target (relative or absolute)
+    # @param symlink_path [String] full path where the symlink will be created
+    # @param extraction_root [String] root directory all paths must stay under
+    # @return [Boolean] true if resolved path is under extraction_root
+    def self.symlink_target_safe?(linkname, symlink_path, extraction_root)
+      return false if linkname.nil? || linkname.to_s.strip.empty?
+      symlink_dir = ::File.dirname(symlink_path)
+      resolved = Pathname.new(::File.expand_path(linkname, symlink_dir)).cleanpath
+      root = Pathname.new(::File.expand_path(extraction_root)).cleanpath
+      !resolved.relative_path_from(root).to_s.start_with?("..")
+    rescue ArgumentError
+      # relative_path_from raises if resolved is not under root
+      false
+    end
+
+    # Verifies that a path string is safe for extraction (relative, no parents traversal).
     # Raises CompressError with a specific message if the path is nil/empty, absolute, or
-    # contains `..`. Does NOT handle symlinks. Works on both Unix and Windows.
+    # contains `..`. Does NOT handle symlinks, symlinks should be handled on per archive type basis.
+    # Works on both Unix and Windows.
     # @param name [String] path string to validate
     # @raise [CompressError] if path is nil, empty, absolute, or traverses with `..`
     def self.verify_name_safe!(name)
       if name.nil? || name.to_s.strip.empty?
-        raise CompressError.new("Refusing to extract file to unsafe path. Path cannot be nil or empty.")
+        raise CompressError.new("Refusing to extract file. Path cannot be nil or empty.")
       end
       cleanpath = Pathname.new(name).cleanpath
       if cleanpath.absolute?

lib/pluginmanager/pack_installer/local.rb

@@ -24,7 +24,7 @@
 
 module LogStash module PluginManager module PackInstaller
   class Local
-    PACK_EXTENSION = ".zip"
+    PACK_EXTENSIONS = [".zip", ".tar.gz"].freeze
     LOGSTASH_PATTERN_RE = /logstash\/?/
 
     attr_reader :local_file
@@ -35,7 +35,7 @@ def initialize(local_file)
 
     def execute
       raise PluginManager::FileNotFoundError, "Can't file local file #{local_file}" unless ::File.exist?(local_file)
-      raise PluginManager::InvalidPackError, "Invalid format, the pack must be in zip format" unless valid_format?(local_file)
+      raise PluginManager::InvalidPackError, "Invalid format, the pack must be in zip or tar.gz format" unless valid_format?(local_file)
 
       PluginManager.ui.info("Installing file: #{local_file}")
       uncompressed_path = uncompress(local_file)
@@ -69,16 +69,23 @@ def execute
     private
     def uncompress(source)
       temporary_directory = Stud::Temporary.pathname
-      LogStash::Util::Zip.extract(source, temporary_directory, LOGSTASH_PATTERN_RE)
+      if source.downcase.end_with?(".tar.gz")
+        LogStash::Util::Tar.extract(source, temporary_directory)
+      else
+        LogStash::Util::Zip.extract(source, temporary_directory, LOGSTASH_PATTERN_RE)
+      end
       temporary_directory
     rescue Zip::Error => e
       # OK Zip's handling of file is bit weird, if the file exist but is not a valid zip, it will raise
       # a `Zip::Error` exception with a file not found message...
       raise InvalidPackError, "Cannot uncompress the zip: #{source}"
+    rescue LogStash::CompressError => e
+      raise InvalidPackError, "Cannot uncompress the archive: #{e.message}"
     end
 
     def valid_format?(local_file)
-      ::File.extname(local_file).downcase == PACK_EXTENSION
+      path = local_file.to_s.downcase
+      PACK_EXTENSIONS.any? { |ext| path.end_with?(ext) }
     end
   end
 end end end

spec/support/pack/README.md

@@ -0,0 +1,18 @@
+# Pack fixtures
+
+## Recreating `pack_with_symlink.tar.gz`
+
+This archive contains a minimal pack layout (logstash/ with one dummy gem) plus a symbolic link, used to test tar.gz extraction with symlink support.
+
+Run the following from the project root (Unix/macOS):
+
+```bash
+mkdir -p spec/support/pack/build/logstash
+echo "dummy gem content" > spec/support/pack/build/logstash/logstash-input-packtest-0.1.0.gem
+echo "content" > spec/support/pack/build/logstash/somefile.txt
+ln -s somefile.txt spec/support/pack/build/logstash/link_to_somefile
+tar -czf spec/support/pack/pack_with_symlink.tar.gz -C spec/support/pack/build logstash
+rm -rf spec/support/pack/build
+```
+
+On Windows (PowerShell), create the symlink with appropriate permissions or use a different method to produce a tar that contains a symlink entry; the above sequence is for Unix-like systems.

spec/support/pack/pack_with_symlink.tar.gz

@@ -73,5 +73,17 @@
         expect { subject.execute }.not_to raise_error
       end
     end
+
+    context "when the pack is valid tar.gz with symlink" do
+      let(:local_file) { ::File.join(::File.dirname(__FILE__), "..", "..", "..", "support", "pack", "pack_with_symlink.tar.gz") }
+
+      it "extracts the archive including the symlink and installs the gems" do
+        skip("Fixture not found") unless ::File.exist?(local_file)
+        expect(::Bundler::LogstashInjector).to receive(:inject!).with(be_kind_of(LogStash::PluginManager::PackInstaller::Pack)).and_return([])
+        expect(::LogStash::PluginManager::GemInstaller).to receive(:install).with(/logstash-input-packtest-0\.1\.0\.gem/, anything).and_return(nil)
+
+        expect { subject.execute }.not_to raise_error
+      end
+    end
   end
 end

spec/unit/plugin_manager/pack_installer/local_spec.rb

@@ -54,7 +54,7 @@ def list_files(target)
 end
 
 describe LogStash::Util do
-  describe ".verify_name_safe!" do
+  context "verify entry files destinations" do
     it "raises CompressError for nil or empty path" do
       expect { LogStash::Util.verify_name_safe!(nil) }.to raise_error(LogStash::CompressError, /Path cannot be nil or empty/)
       expect { LogStash::Util.verify_name_safe!("") }.to raise_error(LogStash::CompressError, /Path cannot be nil or empty/)
@@ -218,6 +218,26 @@ def list_files(target)
       expect(FileUtils).to receive(:mkdir).with(target)
       expect { subject.extract(source, target) }.to raise_error(LogStash::CompressError, /Refusing to extract file to unsafe path.*Files may not traverse with `..`/)
     end
+
+    it "extracts a tar.gz containing a symlink and creates the symlink" do
+      fixture = ::File.join(::File.dirname(__FILE__), "..", "..", "support", "pack", "pack_with_symlink.tar.gz")
+      skip("Fixture not found") unless ::File.exist?(fixture)
+      target_dir = Stud::Temporary.pathname
+      subject.extract(fixture, target_dir)
+      symlink_path = ::File.join(target_dir, "logstash", "link_to_somefile")
+      expect(::File.symlink?(symlink_path)).to be true
+      expect(::File.readlink(symlink_path)).to eq("somefile.txt")
+    end
+
+    it "raises CompressError when a symlink target would escape the extraction directory" do
+      header = OpenStruct.new(:typeflag => "2", :linkname => "../../etc/passwd")
+      entry = OpenStruct.new(:full_name => "logstash/link_evil", :directory? => false, :symlink? => true, :header => header, :read => nil)
+      tar_with_evil_symlink = [entry]
+      allow(Zlib::GzipReader).to receive(:open).with(source).and_yield(gzip_file)
+      allow(Gem::Package::TarReader).to receive(:new).with(gzip_file).and_yield(tar_with_evil_symlink)
+      expect(FileUtils).to receive(:mkdir).with(target)
+      expect { subject.extract(source, target) }.to raise_error(LogStash::CompressError, /Refusing to extract symlink with unsafe target/)
+    end
   end
 
   context "#compression" do