systar: Create file after header checks
This commit is contained in:
parent
fec9c0f981
commit
a05593da5b
@ -5,6 +5,7 @@ import (
|
||||
"io"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
logging "github.com/ipfs/go-log/v2"
|
||||
"golang.org/x/xerrors"
|
||||
@ -87,13 +88,6 @@ func ExtractTar(body io.Reader, dir string, buf []byte) (int64, error) {
|
||||
case nil:
|
||||
}
|
||||
|
||||
//nolint:gosec
|
||||
f, err := os.Create(filepath.Join(dir, header.Name))
|
||||
if err != nil {
|
||||
//nolint:gosec
|
||||
return read, xerrors.Errorf("creating file %s: %w", filepath.Join(dir, header.Name), err)
|
||||
}
|
||||
|
||||
sz, found := CacheFileConstraints[header.Name]
|
||||
if !found {
|
||||
return read, xerrors.Errorf("tar file %#v isn't expected")
|
||||
@ -102,6 +96,17 @@ func ExtractTar(body io.Reader, dir string, buf []byte) (int64, error) {
|
||||
return read, xerrors.Errorf("tar file %#v is bigger than expected: %d > %d", header.Name, header.Size, sz)
|
||||
}
|
||||
|
||||
out := filepath.Join(dir, header.Name) //nolint:gosec
|
||||
|
||||
if !strings.HasPrefix(out, filepath.Clean(dir)) {
|
||||
return read, xerrors.Errorf("unsafe tar path %#v (must be within %#v)", out, filepath.Clean(dir))
|
||||
}
|
||||
|
||||
f, err := os.Create(out)
|
||||
if err != nil {
|
||||
return read, xerrors.Errorf("creating file %s: %w", out, err)
|
||||
}
|
||||
|
||||
ltr := io.LimitReader(tr, header.Size)
|
||||
|
||||
r, err := io.CopyBuffer(f, ltr, buf)
|
||||
|
Loading…
Reference in New Issue
Block a user