-
-
Save sdomino/635a5ed4f32c93aad131 to your computer and use it in GitHub Desktop.
| // Untar takes a destination path and a reader; a tar reader loops over the tarfile | |
| // creating the file structure at 'dst' along the way, and writing any files | |
| func Untar(dst string, r io.Reader) error { | |
| gzr, err := gzip.NewReader(r) | |
| if err != nil { | |
| return err | |
| } | |
| defer gzr.Close() | |
| tr := tar.NewReader(gzr) | |
| for { | |
| header, err := tr.Next() | |
| switch { | |
| // if no more files are found return | |
| case err == io.EOF: | |
| return nil | |
| // return any other error | |
| case err != nil: | |
| return err | |
| // if the header is nil, just skip it (not sure how this happens) | |
| case header == nil: | |
| continue | |
| } | |
| // the target location where the dir/file should be created | |
| target := filepath.Join(dst, header.Name) | |
| // the following switch could also be done using fi.Mode(), not sure if there | |
| // a benefit of using one vs. the other. | |
| // fi := header.FileInfo() | |
| // check the file type | |
| switch header.Typeflag { | |
| // if its a dir and it doesn't exist create it | |
| case tar.TypeDir: | |
| if _, err := os.Stat(target); err != nil { | |
| if err := os.MkdirAll(target, 0755); err != nil { | |
| return err | |
| } | |
| } | |
| // if it's a file create it | |
| case tar.TypeReg: | |
| f, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode)) | |
| if err != nil { | |
| return err | |
| } | |
| // copy over contents | |
| if _, err := io.Copy(f, tr); err != nil { | |
| return err | |
| } | |
| // manually close here after each file operation; defering would cause each file close | |
| // to wait until all operations have completed. | |
| f.Close() | |
| } | |
| } | |
| } |
How to write unit test for the same ?
Just wanted to point out that this code is vulnerable to a zip-slip attack: https://snyk.io/research/zip-slip-vulnerability On line 32, you should validate the target by using a solution like the one proposed in the link
How can this account for symlinks?
How can this account for symlinks?
case tar.TypeSymlink:
err := os.Symlink(header.Linkname, target)
if err != nil {
return err
}
Just wanted to point out that this code is vulnerable to a zip-slip attack: https://snyk.io/research/zip-slip-vulnerability On line 32, you should validate the
targetby using a solution like the one proposed in the link
@ItalyPaleAle Hey in the article it says in the go section:
"The Go ecosystem only has one vulnerable library that we found which was fixed within two days of us disclosing the issue."
So is this code still vulnerable? Or did the go team handle this problem by updating the archive package?
@Sommerrolle to my understanding, they were referring to a 3rd-party library. I believe the code above is still vulnerable since it doesn't do any validation/sanitization on the path.
@ItalyPaleAle thanks for your answer!
I just added this snippet after line 32:
if !fs.ValidPath(target) { return &fs.PathError{Op: "open", Path: target, Err: fs.ErrInvalid} }
It is from the archive package
defer gzr.Close()should go after the error handling. You will callClose()on nil if you end up getting a bad*gzip.Reader.