Fix CVE-2018-1000544 #371
Fix CVE-2018-1000544 #371
Conversation
bdewater
force-pushed
the
fix-cve-2018-1000544
branch
from
7720b14
to
2425c91
Compare
|
Coverage decreased (-2.3%) to 94.268% when pulling 7720b14 on bdewater:fix-cve-2018-1000544 into 8887b70 on rubyzip:master. |
|
Coverage decreased (-4.08%) to 94.718% when pulling 0586329 on bdewater:fix-cve-2018-1000544 into e89f6ac on rubyzip:master. |
bdewater
force-pushed
the
fix-cve-2018-1000544
branch
from
2425c91
to
472acab
Compare
|
CI failures are unrelated (JRuby installation 404s) |
bdewater
force-pushed
the
fix-cve-2018-1000544
branch
from
472acab
to
d68fbd2
Compare
| if @name.squeeze('/') =~ /\.{2}(?:\/|\z)/ | ||
| def extract(dest_path = nil, &block) | ||
| if dest_path.nil? && Pathname.new(@name).absolute? | ||
| puts "WARNING: skipped absolute path in #{@name}" |
There was a problem hiding this comment.
Is putsing a warning the best thing (most extensible) way to do things? I recognize that's what the previous code did, but it seems off to me. Maybe we should raise, or is there some kind of error reporting mechanism that we can surface to the user that's zipfile-wide?
There was a problem hiding this comment.
Either way feel free to say that this is out of scope :)
| puts "WARNING: skipped \"../\" path component(s) in #{@name}" | ||
| return self | ||
| elsif symlink? && get_input_stream.read =~ %r{../..} |
There was a problem hiding this comment.
Could you add a test that this still works for non-malicious symlinks? It doesn't appear there is one.
The comment on get_input_stream's definition seems to also say that it doesn't work too great for symlinks. We should make sure we're not adding any undefined behaviour: https://github.com/rubyzip/rubyzip/blob/master/lib/zip/entry.rb#L484
There was a problem hiding this comment.
Symlink could also links to absolute path
You can find examples of such zip files in https://github.com/jwilk/path-traversal-samples
|
Given this doesn't look too broken, can we please have that merged and a new release stamped with it? Thanks :-) |
| if dest_path.nil? && Pathname.new(@name).absolute? | ||
| puts "WARNING: skipped absolute path in #{@name}" | ||
| return self | ||
| elsif @name.squeeze('/') =~ /\.{2}(?:\/|\z)/ |
There was a problem hiding this comment.
Should this not also gain the dest_path.nil? check?
|
Example in README calls .extract() with the name from the zipfile, leading to the same vulnerability in code that gets copy-pasted from the README. |
|
Our team would love to see this merged and released as well. This has started to show up in our automated vulnerability analysis (https://hakiri.io/technologies/rubyzip/issues/1e6c19ff65e713) and our builds are red as a result. Happy to help get this over the line if any additional work is needed. Please let me know! |
|
I can address feedback to this PR - @simonoff have you had a chance to look at this? Right now do not have the bandwidth available to look at/add tests for all the examples in https://github.com/jwilk/path-traversal-samples - so if somebody feels like taking a crack at it you're most welcome 🙂 |
|
Tests is failed. Need to have a green build to make it merged. |
Small refactor along the way to centralize destination handling when no explicit path is given and a potential malicious one from the zipfile is used
Not sure if the exception is the right way to go
bdewater
force-pushed
the
fix-cve-2018-1000544
branch
from
d68fbd2
to
8e78311
Compare
|
This was just added to ruby-advisory-db, so would love for this PR to be finalized, landed, and released. |
|
I looked at why the jruby builds were failing. Its after an upgrade to 9.2 affecting the crc32 checksum in Encryption tests. |
|
Thanks @vipulnsward - I've pulled your commit from #375 in to get this PR green. |
|
Based on #371 (comment) and #371 (comment) I added tests for https://github.com/jwilk/path-traversal-samples Tests are in: jdleesmiller@9c468f3 Good news: most pass. Bad news: two don't pass: I have not yet attempted to fix the bugs, and I'm not sure I know enough about this library to do that, but I thought I should at least report the test results. Edit: Tried out a (rather drastic) fix in #376 |
Ignore CVE-2018-1000544 (a vulnerability in rubyzip). It does not affect production. See: #1222 rubyzip/rubyzip#371 https://nvd.nist.gov/vuln/detail/CVE-2018-1000544 Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
unzipping was broken due to fixes for CVE-2018-1000544 in rubyzip: [1], [2]. Also, see [3]. Fixes tdtds#32. [1]: rubyzip/rubyzip#371 [2]: rubyzip/rubyzip#376 [3]: rubyzip/rubyzip#354
Unzipping was broken due to fixes for CVE-2018-1000544 in rubyzip: [1], [2]. Also, see [3]. [1]: rubyzip/rubyzip#371 [2]: rubyzip/rubyzip#376 [3]: rubyzip/rubyzip#354
Attempt to fix #369
Not sure if there's a better way to handle Errno::ENOENT in the symlink case, open to suggstions.