Conversation
🤖 GitHub commentsJust comment with:
|
|
This pull request does not have a backport label. Could you fix it @andsel? 🙏
|
|
run exhaustive tests |
lib/bootstrap/util/compress.rb
Outdated
| raise CompressError.new("Directory #{target} exist") if ::File.exist?(target) | ||
| ::Zip::File.open(source) do |zip_file| | ||
| zip_file.each do |file| | ||
| raise CompressError.new("Extracting file outside target directory: #{file.name}") unless LogStash::Util.name_safe?(file.name) |
There was a problem hiding this comment.
I think the copy here could be improved.
| raise CompressError.new("Extracting file outside target directory: #{file.name}") unless LogStash::Util.name_safe?(file.name) | |
| raise CompressError.new("Refusing to extract file to unsafe path: #{file.name}. Files may not traverse with `..`") unless LogStash::Util.name_safe?(file.name) |
There was a problem hiding this comment.
I'd rather have the validation code tell us why the provided path is unsafe, instead of having the validator return boolean and hard-coding a reason here.
For example, the name_safe? method will also return false when the provided path is absolute.
If we do provide blanket guidance, I would prefer to include all possible failure reasons:
| raise CompressError.new("Extracting file outside target directory: #{file.name}") unless LogStash::Util.name_safe?(file.name) | |
| raise CompressError.new("Refusing to extract file outside target directory: `#{file.name}`. Paths must be relative and may not traverse with `..`") unless LogStash::Util.name_safe?(file.name) |
| tar_file.each do |entry| | ||
| raise CompressError.new("Extracting file outside target directory: #{entry.full_name}") unless LogStash::Util.name_safe?(entry.full_name) | ||
| target_path = ::File.join(target, entry.full_name) | ||
|
|
There was a problem hiding this comment.
Since we're already in here, it'd be nice to handle the symlink issue for safety. When I started reviewing this I saw the note about them and was forced to think through whether this was exploitable or not.
While we are not presently vulnerable--since we only write regular files or create directories--it would be nice to at least handle the case here explicitly.
If someone (or some agent) mistakenly added symlink support this would be defensive. Also, we can remove the note later in the file about symlinks not being covered. This is one less bit of security surface area future contributors would have to worry about.
| # POSIX tar typeflag values: '1' = hard link, '2' = symbolic link | |
| # https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_06 | |
| # The pathname of a link being created to another file, of any type, previously archived. This record shall override the linkname field in the following ustar header block(s). The following ustar header block shall determine the type of link created. If typeflag of the following header block is 1, it shall be a hard link. If typeflag is 2, it shall be a symbolic link and the linkpath value shall be the contents of the symbolic link. The pax utility shall translate the name of the link (contents of the symbolic link) from the encoding in the header to the character set appropriate for the local file system. When used in write or copy mode, pax shall include a linkpath extended header record for each link whose pathname cannot be represented entirely with the members of the portable character set other than NUL. | |
| case entry.header.typeflag | |
| when '2' then raise CompressError.new("Refusing to extract symlink entry: #{entry.full_name}") | |
| when '1' then raise CompressError.new("Refusing to extract hardlink entry: #{entry.full_name}") | |
| end |
There was a problem hiding this comment.
I think we could use the symlink? method present in Gem::Package::TarReader::Entry instead of using magic numbers (https://github.com/ruby/rubygems/blob/bcc44695d6bb0915912e10cbb09283c1e242f1ff/lib/rubygems/package/tar_reader/entry.rb#L127).
However, it doesn't cover the hardlink case.
It seems that also zip has symlink? method we can leverage.
There was a problem hiding this comment.
From better investigation I found that rubyzip (at the version we use and above) disabled to decompress symlinks for security reasons.
Version 3.2.2 apparently re-introduced symlink: rubyzip/rubyzip#531
There was a problem hiding this comment.
Hmmm, I'm not nuts about magic numbers either, weird there's no hardlink option. What would you like to do here?
There was a problem hiding this comment.
Ah, I see you added the symlink check below. Looks like the lib only covers symlinks anyway, so I think this is good!
lib/bootstrap/util/compress.rb
Outdated
| end | ||
|
|
||
| # Is the name a relative path, free of `..` patterns that could lead to | ||
| # path traversal attacks? This does NOT handle symlinks; if the path |
There was a problem hiding this comment.
Per my comment above, we can remove the mention of symlinks if we add the check for them.
|
run exhaustive tests |
…ent exception for each case
|
run exhaustive tests |
There was a problem hiding this comment.
Pull request overview
This PR adds security validation for file names during archive extraction (both zip and tar.gz) to prevent path traversal attacks. It also adds symlink support for tar.gz extraction with safety checks to ensure symlink targets remain within the extraction directory. Additionally, the pack installer is updated to support .tar.gz format alongside .zip.
Changes:
- Adds
verify_name_safe!method to reject nil/empty, absolute, or..-traversing paths during extraction - Adds
symlink_target_safe?method and symlink extraction support for tar.gz archives - Extends
PackInstaller::Localto accept and extract.tar.gzpacks alongside.zip
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| lib/bootstrap/util/compress.rb | Adds path validation (verify_name_safe!), symlink safety check (symlink_target_safe?), and symlink extraction in Tar.extract |
| lib/pluginmanager/pack_installer/local.rb | Extends pack installer to support .tar.gz format with appropriate extraction routing and error handling |
| spec/unit/util/compress_spec.rb | Tests for path validation, traversal rejection, and symlink safety in both zip and tar extraction |
| spec/unit/plugin_manager/pack_installer/local_spec.rb | Test for tar.gz pack extraction with symlinks |
| spec/support/pack/pack_with_symlink.tar.gz | Test fixture tar.gz containing a symlink |
| spec/support/pack/README.md | Documents how to recreate the test fixture |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…that uses tar.gz files
|
run exhaustive tests |
There was a problem hiding this comment.
Pull request overview
This PR hardens archive extraction by adding validation for archive entry names (to prevent unsafe extraction paths) and rejecting tar symlink entries, with accompanying spec updates and fixture documentation.
Changes:
- Add archive-entry path validation for Zip/Tar extraction and reject tar symlink entries.
- Add/extend unit and integration-ish specs around unsafe paths and symlink behavior.
- Improve plugin pack installation error handling by mapping
LogStash::CompressErrortoInvalidPackError.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
lib/bootstrap/util/compress.rb |
Adds entry-name validation, rejects tar symlinks, and wires checks into Zip/Tar extraction. |
lib/pluginmanager/pack_installer/local.rb |
Rescues LogStash::CompressError during uncompress and raises InvalidPackError with details. |
spec/unit/util/compress_spec.rb |
Adds tests for new safety checks and adjusts tar mocks for new symlink?/directory? usage. |
x-pack/spec/geoip_database_management/downloader_spec.rb |
Adds a spec asserting tarballs with symlinks raise LogStash::CompressError. |
x-pack/spec/geoip_database_management/fixtures/README.md |
Documents how to recreate the symlink-containing tar fixture. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ymlink just raising an error when a tgz contains a symlink
There was a problem hiding this comment.
Pull request overview
This PR hardens archive extraction by validating entry filenames/paths and rejecting tar symlink entries, with accompanying specs and fixtures to prevent path traversal and symlink-based extraction.
Changes:
- Add
LogStash::Util.verify_name_safe!and apply it to Zip/Tar extraction paths. - Reject tar symlink entries via
verify_tar_link_entry!and add fixture-based specs asserting the behavior. - Wrap
LogStash::CompressErrorasInvalidPackErrorin the local plugin pack installer.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
lib/bootstrap/util/compress.rb |
Adds entry-name safety verification for zip/tar extraction and rejects tar symlink entries. |
lib/pluginmanager/pack_installer/local.rb |
Converts CompressError failures during uncompress into InvalidPackError. |
spec/unit/util/compress_spec.rb |
Adds unit coverage for safe-name verification, traversal rejection, and tar symlink rejection. |
x-pack/spec/geoip_database_management/downloader_spec.rb |
Adds a downloader spec asserting symlink tarball rejection. |
x-pack/spec/geoip_database_management/fixtures/sample_with_symlink.tgz |
Adds a tarball fixture containing a symlink entry. |
x-pack/spec/geoip_database_management/fixtures/README.md |
Documents how to regenerate the symlink fixture. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Tar.gz-only: rejects symlink entries | ||
| # @param entry [Gem::Package::TarReader::Entry] | ||
| # @raise [CompressError] if entry is a symlink or path is unsafe | ||
| def self.verify_tar_link_entry!(entry) |
|
|
||
| it "raises when tarball contains a symlink entry" do | ||
| zip_path = ::File.expand_path("./fixtures/sample_with_symlink.tgz", ::File.dirname(__FILE__)) | ||
| skip("sample_with_symlink.tgz not found") unless ::File.exist?(zip_path) |
| it "raises when tarball contains a symlink entry" do | ||
| zip_path = ::File.expand_path("./fixtures/sample_with_symlink.tgz", ::File.dirname(__FILE__)) | ||
| skip("sample_with_symlink.tgz not found") unless ::File.exist?(zip_path) | ||
|
|
||
| expect { downloader.send(:unzip, database_type, dirname, zip_path) }.to raise_error(LogStash::CompressError, /Refusing to extract symlink entry/) |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR adds archive entry validation to prevent unsafe extraction paths and expands test coverage around tar/zip extraction safety, including rejecting tar symlink entries.
Changes:
- Validate zip and tar entry names during extraction via
LogStash::Util.verify_name_safe!. - Reject symlink entries during tar.gz extraction via
verify_tar_link_entry!, and surface failures asInvalidPackErrorin the plugin pack installer. - Add fixtures and specs to assert symlink rejection and unsafe-path handling.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
lib/bootstrap/util/compress.rb |
Adds path validation for zip/tar extraction and rejects tar symlinks. |
lib/pluginmanager/pack_installer/local.rb |
Converts CompressError from extraction into InvalidPackError for user-facing pack install errors. |
spec/unit/util/compress_spec.rb |
Adds unit coverage for path validation, traversal rejection, and symlink tarball fixture behavior. |
x-pack/spec/geoip_database_management/downloader_spec.rb |
Adds an integration-style spec to ensure GeoIP downloader rejects symlink tar entries. |
x-pack/spec/geoip_database_management/fixtures/sample_with_symlink.tgz |
New fixture tarball containing a symlink entry for extraction rejection tests. |
x-pack/spec/geoip_database_management/fixtures/README.md |
Documents how to recreate the new symlink-containing tarball fixture. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if entry.directory? | ||
| FileUtils.mkdir_p(target_path) | ||
| else # is a file to be extracted | ||
| else # is a file to be extracted (symlinks rejected in verify_tar_link_entry!) |
| # Tar.gz-only: rejects symlink entries | ||
| # @param entry [Gem::Package::TarReader::Entry] | ||
| # @raise [CompressError] if entry is a symlink or path is unsafe | ||
| def self.verify_tar_link_entry!(entry) |
| it "does not raise for safe relative paths" do | ||
| expect { LogStash::Util.verify_name_safe!("foo/bar") }.not_to raise_error | ||
| expect { LogStash::Util.verify_name_safe!("a/b/c") }.not_to raise_error | ||
| expect { LogStash::Util.verify_name_safe!("single") }.not_to raise_error | ||
| end |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
💛 Build succeeded, but was flaky
Failed CI Steps
History
cc @andsel |
Release notes
[rn:skip]
What does this PR do?
Adds a file name verification