Disallow '..' decompression outside of parent directory

mitchellh · mitchellh · commit a0f46480b064 · 2018-03-26T11:24:17.000-07:00
diff --git a/decompress.go b/decompress.go
@@ -1,7 +1,15 @@
 package getter
 
+import (
+	"strings"
+)
+
 // Decompressor defines the interface that must be implemented to add
 // support for decompressing a type.
+//
+// Important: if you're implementing a decompressor, please use the
+// containsDotDot helper in this file to ensure that files can't be
+// decompressed outside of the specified directory.
 type Decompressor interface {
 	// Decompress should decompress src to dst. dir specifies whether dst
 	// is a directory or single file. src is guaranteed to be a single file
@@ -31,3 +39,20 @@ func init() {
 		"zip":     new(ZipDecompressor),
 	}
 }
+
+// containsDotDot checks if the filepath value v contains a ".." entry.
+// This will check filepath components by splitting along / or \. This
+// function is copied directly from the Go net/http implementation.
+func containsDotDot(v string) bool {
+	if !strings.Contains(v, "..") {
+		return false
+	}
+	for _, ent := range strings.FieldsFunc(v, isSlashRune) {
+		if ent == ".." {
+			return true
+		}
+	}
+	return false
+}
+
+func isSlashRune(r rune) bool { return r == '/' || r == '\\' }
diff --git a/decompress_tar.go b/decompress_tar.go
@@ -35,6 +35,11 @@ func untar(input io.Reader, dst, src string, dir bool) error {
 
 		path := dst
 		if dir {
+			// Disallow parent traversal
+			if containsDotDot(hdr.Name) {
+				return fmt.Errorf("entry contains '..': %s", hdr.Name)
+			}
+
 			path = filepath.Join(path, hdr.Name)
 		}
 
diff --git a/decompress_tgz_test.go b/decompress_tgz_test.go
@@ -74,6 +74,17 @@ func TestTarGzipDecompressor(t *testing.T) {
 			"",
 			nil,
 		},
+
+		// Tests that a tar.gz can't contain references with "..".
+		// GNU `tar` also disallows this.
+		{
+			"outside_parent.tar.gz",
+			true,
+			true,
+			nil,
+			"",
+			nil,
+		},
 	}
 
 	for i, tc := range cases {
diff --git a/decompress_zip.go b/decompress_zip.go
@@ -42,6 +42,11 @@ func (d *ZipDecompressor) Decompress(dst, src string, dir bool) error {
 	for _, f := range zipR.File {
 		path := dst
 		if dir {
+			// Disallow parent traversal
+			if containsDotDot(f.Name) {
+				return fmt.Errorf("entry contains '..': %s", f.Name)
+			}
+
 			path = filepath.Join(path, f.Name)
 		}
 
diff --git a/decompress_zip_test.go b/decompress_zip_test.go
@@ -78,6 +78,16 @@ func TestZipDecompressor(t *testing.T) {
 			"",
 			nil,
 		},
+
+		// Tests that a zip can't contain references with "..".
+		{
+			"outside_parent.zip",
+			true,
+			true,
+			nil,
+			"",
+			nil,
+		},
 	}
 
 	for i, tc := range cases {
diff --git a/test-fixtures/decompress-tgz/outside_parent.tar.gz b/test-fixtures/decompress-tgz/outside_parent.tar.gz
diff --git a/test-fixtures/decompress-zip/outside_parent.zip b/test-fixtures/decompress-zip/outside_parent.zip
