PR #622: security fixes for v1.3.2

piksel · web-flow · commit ffe69c0ad392 · 2021-05-08T18:59:54.000+02:00
* test: alter LimitExtractPath to check for file/dir collision
* fix: disallow traversal when file and base dir share name
* fix: use random file name for writing asciitrans tar entries
* fix: add dir separator to base dir if missing
diff --git a/src/ICSharpCode.SharpZipLib/Tar/TarArchive.cs b/src/ICSharpCode.SharpZipLib/Tar/TarArchive.cs
@@ -824,7 +824,7 @@ private void WriteEntryCore(TarEntry sourceEntry, bool recurse)
 			{
 				if (!IsBinary(entryFilename))
 				{
-					tempFileName = Path.GetTempFileName();
+					tempFileName = Path.GetRandomFileName();
 
 					using (StreamReader inStream = File.OpenText(entryFilename))
 					{
diff --git a/src/ICSharpCode.SharpZipLib/Zip/WindowsNameTransform.cs b/src/ICSharpCode.SharpZipLib/Zip/WindowsNameTransform.cs
@@ -1,6 +1,7 @@
 using ICSharpCode.SharpZipLib.Core;
 using System;
 using System.IO;
+using System.Runtime.InteropServices;
 using System.Text;
 
 namespace ICSharpCode.SharpZipLib.Zip
@@ -133,7 +134,14 @@ public string TransformFile(string name)
 				{
 					name = Path.Combine(_baseDirectory, name);
 
-					if (!_allowParentTraversal && !Path.GetFullPath(name).StartsWith(_baseDirectory, StringComparison.InvariantCultureIgnoreCase))
+					// Ensure base directory ends with directory separator ('/' or '\' depending on OS)
+					var pathBase = Path.GetFullPath(_baseDirectory);
+					if (pathBase[pathBase.Length - 1] != Path.DirectorySeparatorChar)
+					{
+						pathBase += Path.DirectorySeparatorChar;
+					}
+
+					if (!_allowParentTraversal && !Path.GetFullPath(name).StartsWith(pathBase, StringComparison.InvariantCultureIgnoreCase))
 					{
 						throw new InvalidNameException("Parent traversal in paths is not allowed");
 					}
diff --git a/test/ICSharpCode.SharpZipLib.Tests/Zip/FastZipHandling.cs b/test/ICSharpCode.SharpZipLib.Tests/Zip/FastZipHandling.cs
@@ -474,7 +474,7 @@ public void LimitExtractPath()
 			tempPath = Path.Combine(tempPath, uniqueName);
 			var extractPath = Path.Combine(tempPath, "output");
 
-			const string contentFile = "content.txt";
+			const string contentFile = "output.txt";
 
 			var contentFilePathBad = Path.Combine("..", contentFile);
 			var extractFilePathBad = Path.Combine(tempPath, contentFile);

Original file line number	Diff line number	Diff line change
`@@ -824,7 +824,7 @@ private void WriteEntryCore(TarEntry sourceEntry, bool recurse)`
`824`	`824`	`{`
`825`	`825`	`if (!IsBinary(entryFilename))`
`826`	`826`	`{`
`827`		`- tempFileName = Path.GetTempFileName();`
	`827`	`+ tempFileName = Path.GetRandomFileName();`
`828`	`828`
`829`	`829`	`using (StreamReader inStream = File.OpenText(entryFilename))`
`830`	`830`	`{`