systar: Create file after header checks

2022-09-14 09:57:38 +02:00 · 2022-09-14 09:57:38 +02:00 · a05593da5b
commit a05593da5b
parent fec9c0f981
1 changed files with 12 additions and 7 deletions
--- a/storage/sealer/tarutil/systar.go
+++ b/storage/sealer/tarutil/systar.go
@ -5,6 +5,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"

 	logging "github.com/ipfs/go-log/v2"
 	"golang.org/x/xerrors"
@ -87,13 +88,6 @@ func ExtractTar(body io.Reader, dir string, buf []byte) (int64, error) {
 		case nil:
 		}

-		//nolint:gosec
-		f, err := os.Create(filepath.Join(dir, header.Name))
-		if err != nil {
-			//nolint:gosec
-			return read, xerrors.Errorf("creating file %s: %w", filepath.Join(dir, header.Name), err)
-		}
-
 		sz, found := CacheFileConstraints[header.Name]
 		if !found {
 			return read, xerrors.Errorf("tar file %#v isn't expected")
@ -102,6 +96,17 @@ func ExtractTar(body io.Reader, dir string, buf []byte) (int64, error) {
 			return read, xerrors.Errorf("tar file %#v is bigger than expected: %d > %d", header.Name, header.Size, sz)
 		}

+		out := filepath.Join(dir, header.Name) //nolint:gosec
+
+		if !strings.HasPrefix(out, filepath.Clean(dir)) {
+			return read, xerrors.Errorf("unsafe tar path %#v (must be within %#v)", out, filepath.Clean(dir))
+		}
+
+		f, err := os.Create(out)
+		if err != nil {
+			return read, xerrors.Errorf("creating file %s: %w", out, err)
+		}
+
 		ltr := io.LimitReader(tr, header.Size)

 		r, err := io.CopyBuffer(f, ltr, buf)