Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reintroduce Path Sanitization #198

Merged
merged 6 commits into from Nov 10, 2020
Merged

Reintroduce Path Sanitization #198

merged 6 commits into from Nov 10, 2020

Conversation

Plecra
Copy link
Member

@Plecra Plecra commented Sep 12, 2020

Closes #181

I've kept the old behaviour available through mangled_name, for users who actively decided on it. I took the opportunity to give a stronger warning in the documentation, and provide an alternative which I think is more suitable.

This also means we can bring back the ZipArchive::extract API, which I now see as effectively complete for 0.5.

Are these API changes enough @jamesmcm ?

(And since you've shown interest in the old API, I'd also like to know which strategy you prefer @aspen 馃榾 )

@Plecra Plecra requested a review from rylev September 12, 2020 10:01
@Plecra
fix: overlapping borrows on unix platforms
33a787e 
When cfg(unix), the `outpatj` meeded to last until the
`set_permissions` call, but it can't exist during the `io::copy`
@jamesmcm
Copy link

Thanks, this is great!

rylev
rylev suggested changes Sep 23, 2020
View reviewed changes
Copy link
Contributor

@rylev rylev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! I have a few changes I'd like to see, and I'd like us to bikeshed the name a bit more, but overall this is great!

src/read.rs Outdated
@@ -310,6 +311,49 @@ impl<R: Read + io::Seek> ZipArchive<R> {
comment: footer.zip_file_comment,
})
}
/// Extract a Zip archive into a directory.
///
/// Malformed and malicious paths are rejected so that they cannot escape
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably say "Malformed or potentially malicious paths".

Perhaps we should make reference to name_as_child docs to enumerate the types of paths that will be rejected.

src/read.rs Outdated

let outpath = directory.as_ref().join(filepath);

if (file.name()).ends_with('/') {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why the () around file.name()?

src/read.rs Outdated
/// Malformed and malicious paths are rejected so that they cannot escape
/// the given directory.
///
/// This bails on the first error and does not attempt cleanup.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should also mention that this will override existing files if they have the same path as a file in the zip archive.

src/read.rs Outdated
/// This will read well-formed ZIP files correctly, and is resistant
/// to path-based exploits. It is recommended over
/// [`ZipFile::mangled_name`].
pub fn name_as_child(&self) -> Option<&Path> {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how I feel about the name of the method. Perhaps relative_name or checked_relative_name. Nothing stands out as clearly better.

@Plecra Plecra mentioned this pull request Nov 10, 2020
Closed
@Plecra
Copy link
Member Author

Plecra commented Nov 10, 2020

Nice points @rylev. I've renamed the API to enclosed_name. It's not perfect, but I don't think we'll come up with something better with more time. I'd like to release 0.5.9 (with this fix) within the next couple days, so lmk if there's an issue

@Plecra Plecra merged commit 5a053cd into master Nov 10, 2020
@Plecra Plecra deleted the path-sanitization branch January 23, 2022 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rylev rylev rylev requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement path sanitization
3 participants
@Plecra @jamesmcm @rylev