From 4f8585178af78f8f64c5ca38e923c306613278b9 Mon Sep 17 00:00:00 2001 From: Brian Kurek Date: Sat, 27 Apr 2019 14:25:01 -0400 Subject: [PATCH 1/5] Ignore potentially unsafe files --- lib/parse.js | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lib/parse.js b/lib/parse.js index 600ad782..fdcdd7d4 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -38,6 +38,7 @@ function Parse () { me._stream = new BlockStream(512) me.position = 0 me._ended = false + me._entries = [] me._stream.on("error", function (e) { me.emit("error", e) @@ -250,7 +251,16 @@ Parse.prototype._startEntry = function (c) { if (onend) entry.on("end", onend) + if (entry.type === "File") { + this._entries.forEach(function(prevEntry) { + if (prevEntry.type === "Link" && prevEntry.path === entry.path) { + ev = "ignoredEntry" + } + }) + } + this._entry = entry + this._entries.push(entry) var me = this entry.on("pause", function () { From 15e59f1d671ffbe4ae7c74dafcbec93ea2584e34 Mon Sep 17 00:00:00 2001 From: Brian Kurek Date: Sat, 27 Apr 2019 17:16:52 -0400 Subject: [PATCH 2/5] Only track previously seen hardlinks --- lib/parse.js | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/parse.js b/lib/parse.js index fdcdd7d4..e66c75da 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -38,7 +38,7 @@ function Parse () { me._stream = new BlockStream(512) me.position = 0 me._ended = false - me._entries = [] + me._hardLinks = [] me._stream.on("error", function (e) { me.emit("error", e) @@ -252,15 +252,19 @@ Parse.prototype._startEntry = function (c) { if (onend) entry.on("end", onend) if (entry.type === "File") { - this._entries.forEach(function(prevEntry) { - if (prevEntry.type === "Link" && prevEntry.path === entry.path) { + this._hardLinks.forEach(function(link) { + if (link.path === entry.path) { ev = "ignoredEntry" } }) } this._entry = entry - this._entries.push(entry) + + if (entry.type === "Link") { + this._hardLinks.push(entry) + } + var me = this entry.on("pause", function () { From 9fc84b9c596c3589d4c1ab050843de0eafb002e8 Mon Sep 17 00:00:00 2001 From: isaacs Date: Tue, 14 May 2019 17:08:01 -0700 Subject: [PATCH 3/5] Use {} for hardlink tracking instead of [] --- lib/parse.js | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/lib/parse.js b/lib/parse.js index e66c75da..e8d007ba 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -38,7 +38,7 @@ function Parse () { me._stream = new BlockStream(512) me.position = 0 me._ended = false - me._hardLinks = [] + me._hardLinks = {} me._stream.on("error", function (e) { me.emit("error", e) @@ -251,18 +251,14 @@ Parse.prototype._startEntry = function (c) { if (onend) entry.on("end", onend) - if (entry.type === "File") { - this._hardLinks.forEach(function(link) { - if (link.path === entry.path) { - ev = "ignoredEntry" - } - }) + if (entry.type === "File" && this._hardLinks[entry.path]) { + ev = "ignoredEntry" } this._entry = entry if (entry.type === "Link") { - this._hardLinks.push(entry) + this._hardLinks[entry.path] = entry } var me = this From 7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d Mon Sep 17 00:00:00 2001 From: isaacs Date: Tue, 14 May 2019 17:43:20 -0700 Subject: [PATCH 4/5] Bump fstream to fix hardlink overwriting vulnerability Fix #212 Fix #213 --- lib/parse.js | 4 -- package.json | 2 +- test/link-file-entry-collision.js | 39 ++++++++++++++++++++ test/link-file-entry-collision/bad-link.hex | 25 +++++++++++++ test/link-file-entry-collision/bad-link.tar | Bin 0 -> 3584 bytes 5 files changed, 65 insertions(+), 5 deletions(-) create mode 100644 test/link-file-entry-collision.js create mode 100644 test/link-file-entry-collision/bad-link.hex create mode 100644 test/link-file-entry-collision/bad-link.tar diff --git a/lib/parse.js b/lib/parse.js index e8d007ba..1c66ebda 100644 --- a/lib/parse.js +++ b/lib/parse.js @@ -251,10 +251,6 @@ Parse.prototype._startEntry = function (c) { if (onend) entry.on("end", onend) - if (entry.type === "File" && this._hardLinks[entry.path]) { - ev = "ignoredEntry" - } - this._entry = entry if (entry.type === "Link") { diff --git a/package.json b/package.json index c5b999b1..a338e117 100644 --- a/package.json +++ b/package.json @@ -13,7 +13,7 @@ }, "dependencies": { "block-stream": "*", - "fstream": "^1.0.2", + "fstream": "^1.0.12", "inherits": "2" }, "devDependencies": { diff --git a/test/link-file-entry-collision.js b/test/link-file-entry-collision.js new file mode 100644 index 00000000..cb3e2d5e --- /dev/null +++ b/test/link-file-entry-collision.js @@ -0,0 +1,39 @@ +// Set the umask, so that it works the same everywhere. +process.umask(parseInt('22', 8)) + +var tap = require("tap") + , tar = require("../tar.js") + , fs = require("fs") + , path = require("path") + , file = path.resolve(__dirname, "link-file-entry-collision/bad-link.tar") + , target = path.resolve(__dirname, "tmp/link-file-entry-collision") + , index = 0 + , fstream = require("fstream") + , mkdirp = require("mkdirp") + , rimraf = require("rimraf") + +tap.test("preclean", function (t) { + rimraf.sync(target) + t.pass("cleaned!") + t.end() +}) + +tap.test("extract test", function (t) { + var extract = tar.Extract(target) + var inp = fs.createReadStream(file) + inp.pipe(extract) + + extract.on("end", function () { + t.equal(fs.readFileSync(target + "/bad-link-target", "utf8"), + "this should remain the same\n") + t.equal(fs.readFileSync(target + "/a.txt", "utf8"), + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") + t.end() + }) +}) + +tap.test("cleanup", function (t) { + rimraf.sync(target) + t.pass("cleaned!") + t.end() +}) diff --git a/test/link-file-entry-collision/bad-link.hex b/test/link-file-entry-collision/bad-link.hex new file mode 100644 index 00000000..99f5db0d --- /dev/null +++ b/test/link-file-entry-collision/bad-link.hex @@ -0,0 +1,25 @@ +-- header for the link target -- +6261642d6c696e6b2d74617267657400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000303030363434200030303037363520003030303032342000303030303030303030333420313334363636353530353620303134333731002030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # bad-link-target.....................................................................................000644..000765..000024..00000000034.13466655056.014371..0................................................................................................... +00757374617200303069736161637300000000000000000000000000000000000000000000000000007374616666000000000000000000000000000000000000000000000000000000303030303030200030303030303020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # .ustar.00isaacs..........................staff...........................000000..000000......................................................................................................................................................................... + +-- link target file contents (should not be overwritten) -- +746869732073686f756c642072656d61696e207468652073616d650a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # this.should.remain.the.same..................................................................................................................................................................................................................................... +00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................ + +-- header for the link named a.txt -- +612e74787400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003030303634342000303030373635200030303030323420003030303030303030303030203133343636363535303536203031353334320020316261642d6c696e6b2d746172676574000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # a.txt...............................................................................................000644..000765..000024..00000000000.13466655056.015342..1bad-link-target.................................................................................... +00757374617200303069736161637300000000000000000000000000000000000000000000000000007374616666000000000000000000000000000000000000000000000000000000303030303030200030303030303020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # .ustar.00isaacs..........................staff...........................000000..000000......................................................................................................................................................................... + +-- header for file entry which attempts to overwrite the link -- +612e7478740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000303030363434200030353737363120003030303032342000303030303030303034303120313136353133363033333320303132343531002030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # a.txt...............................................................................................000644..057761..000024..00000000401.11651360333.012451..0................................................................................................... +00757374617200303069736161637300000000000000000000000000000000000000000000000000007374616666000000000000000000000000000000000000000000000000000000303030303030200030303030303020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # .ustar.00isaacs..........................staff...........................000000..000000......................................................................................................................................................................... + +-- contents that threaten to overwrite the link target -- +61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +61000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # a............................................................................................................................................................................................................................................................... + +-- tar eof -- +00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................ +00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................ +00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................ +00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 # ................................................................................................................................................................................................................................................................ diff --git a/test/link-file-entry-collision/bad-link.tar b/test/link-file-entry-collision/bad-link.tar new file mode 100644 index 0000000000000000000000000000000000000000..be0b0d2f73a2cdca26771554090aca269bfcfc69 GIT binary patch literal 3584 zcmeHH+X{m)4E1?mksoj*wvFFYr%stVuod?C3-dvyu%}f7o0r^5I638{uw~k{!z1-} zyjMO6VTj0DLn1zB^YNI?xs=3|22z@tjX}eJq*YD{UmvH zFX<+lH<_11giZgT1>dv|T=Sf|62_{x?Et>1z}ddK929bd^+yKm)xW~1egP@c_^p4@ z%eVfG(pdsj>~Ne;uK!*C-{d*d_Wo-mAYwy`Q7I+&Khq}O|3yFnBYSoW$ZZ@Q8Hfx- I29C_Y8xFy>h5!Hn literal 0 HcmV?d00001 From 523c5c7fef48b10811fccd12b42803c61b6aead8 Mon Sep 17 00:00:00 2001 From: isaacs Date: Tue, 14 May 2019 17:43:35 -0700 Subject: [PATCH 5/5] 2.2.2 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index a338e117..23acb9fb 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "author": "Isaac Z. Schlueter (http://blog.izs.me/)", "name": "tar", "description": "tar for node", - "version": "2.2.1", + "version": "2.2.2", "repository": { "type": "git", "url": "git://github.com/isaacs/node-tar.git"