Arbitrary file write during tarfile extraction in `luigi/contrib/sge_runner.py`

Open Ali-Razmjoo opened this issue 1 year ago • 0 comments

Hi,

I am reporting a potential security issue with arbitrary file write during tarfile extraction in

https://github.com/spotify/luigi/blob/master/luigi/contrib/sge_runner.py#L67-L70

Extracting files from a malicious tar archive without validating that the destination file path is within the destination directory can cause files outside the destination directory to be overwritten, due to the possible presence of directory traversal elements (..) in archive paths.

..\malicious_file
c:\malicious_file
/etc/passwd

Recommendation

with tarfile.open(sys.argv[1]) as tar:
    for entry in tar:
        #GOOD: Check that entry is safe
        if os.path.isabs(entry.name) or ".." in entry.name:
            raise ValueError("Illegal tar archive entry")
        tar.extract(entry, "/tmp/unpack/")

References

Snyk: Zip Slip Vulnerability
OWASP: Path Traversal
Python Library Reference: TarFile.extract
Python Library Reference: TarFile.extractall
Common Weakness Enumeration: CWE-22

Aug 24 '24 11:08 Ali-Razmjoo