Exemplo n.º 1
0
    def test_tar_path_traversal_attack(self):
        # Test for vulnerability to path-traversal attacks.
        with tempfile.TemporaryDirectory() as tmpdir:
            tmpdir = pathlib.Path(tmpdir)
            dest = tmpdir / "dest"
            dest.mkdir()
            for link_dest in ("../nonexistant", "/nonexistant"):
                tar = tmpdir / "symlink-path-traversal.tgz"
                filename = tmpdir / "link"
                filename.symlink_to(link_dest)
                with utils.cd(tmpdir):
                    with tarfile.open(tar, mode="w:gz") as tf:
                        tf.add("link")
                with self.assertRaises(ValueError):
                    utils.untar(tar, dest)
                rm_f(filename)
                rm_f(tar)

            for name in ("../nonexistant", "/nonexistant"):
                tar = tmpdir / "path-traversal.tgz"
                filename = tmpdir / "test-thing"
                with open(filename, "w") as f:
                    print("blah", file=f)
                with utils.cd(tmpdir):
                    with tarfile.open(tar, mode="w:gz") as tf:

                        def filt(info):
                            info.name = name  # path the file will be extracted to
                            return info

                        tf.add("test-thing", filter=filt)
                with self.assertRaises(ValueError):
                    utils.untar(tar, dest)
                rm_f(filename)
                rm_f(tar)
Exemplo n.º 2
0
    def test_bad_tar_members(self):
        # Pretend we downloaded a tarball containing a FIFO or device file.
        # There is no reasonable use for these types of files in stdpopsim,
        # so their presence likely indicates a maliciously crafted tarball.
        # Creating a character or block special device file requires root
        # privileges, so we instead modify the ``type`` field of each file
        # in the tar.
        with tempfile.TemporaryDirectory() as tmpdir:
            tmpdir = pathlib.Path(tmpdir)
            dest = tmpdir / "dest"
            dest.mkdir()
            for filename, type_ in [
                ("fifo", tarfile.FIFOTYPE),
                ("char-device", tarfile.CHRTYPE),
                ("block-device", tarfile.BLKTYPE),
            ]:
                tar = tmpdir / "irregular-type.tgz"
                filename = tmpdir / "irregular"
                with open(filename, "w") as f:
                    print("blah", file=f)
                with utils.cd(tmpdir):
                    with tarfile.open(tar, mode="w:gz") as tf:

                        def filt(info):
                            info.type = type_  # lie about the type
                            return info

                        tf.add("irregular", filter=filt)
                with self.assertRaises(ValueError):
                    utils.untar(tar, dest)
                rm_f(filename)
                rm_f(tar)
Exemplo n.º 3
0
    def test_untar(self):
        with tempfile.TemporaryDirectory() as tmpdir:
            tmpdir = pathlib.Path(tmpdir)
            test_files = ["foo", "bar", "baz"]
            sha_list = []
            for name in test_files:
                filename = tmpdir / name
                with open(filename, "wb") as f:
                    f.write(name.encode())
                # Record checksums for later.
                sha_list.append(utils.sha256(filename))

            tar = tmpdir / "test.tgz"
            with utils.cd(tmpdir):
                with tarfile.open(tar, mode="w:gz") as tf:
                    for name in test_files:
                        tf.add(name)

            dest = tmpdir / "dest"
            dest.mkdir()
            utils.untar(tar, dest)
            for name, sha in zip(test_files, sha_list):
                filename = dest / name
                self.assertTrue(filename.exists())
                # Check that extracted files have the same checksums as
                # the files we put in the tar.
                self.assertEqual(utils.sha256(filename), sha)