Skip to content

Instantly share code, notes, and snippets.

Last active August 27, 2023 04:00
Show Gist options
  • Save sdomino/635a5ed4f32c93aad131 to your computer and use it in GitHub Desktop.
Save sdomino/635a5ed4f32c93aad131 to your computer and use it in GitHub Desktop.
// Untar takes a destination path and a reader; a tar reader loops over the tarfile
// creating the file structure at 'dst' along the way, and writing any files
func Untar(dst string, r io.Reader) error {
gzr, err := gzip.NewReader(r)
if err != nil {
return err
defer gzr.Close()
tr := tar.NewReader(gzr)
for {
header, err := tr.Next()
switch {
// if no more files are found return
case err == io.EOF:
return nil
// return any other error
case err != nil:
return err
// if the header is nil, just skip it (not sure how this happens)
case header == nil:
// the target location where the dir/file should be created
target := filepath.Join(dst, header.Name)
// the following switch could also be done using fi.Mode(), not sure if there
// a benefit of using one vs. the other.
// fi := header.FileInfo()
// check the file type
switch header.Typeflag {
// if its a dir and it doesn't exist create it
case tar.TypeDir:
if _, err := os.Stat(target); err != nil {
if err := os.MkdirAll(target, 0755); err != nil {
return err
// if it's a file create it
case tar.TypeReg:
f, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
if err != nil {
return err
// copy over contents
if _, err := io.Copy(f, tr); err != nil {
return err
// manually close here after each file operation; defering would cause each file close
// to wait until all operations have completed.
Copy link

Sommerrolle commented Jan 23, 2023

Just wanted to point out that this code is vulnerable to a zip-slip attack: On line 32, you should validate the target by using a solution like the one proposed in the link

@ItalyPaleAle Hey in the article it says in the go section:
"The Go ecosystem only has one vulnerable library that we found which was fixed within two days of us disclosing the issue."

So is this code still vulnerable? Or did the go team handle this problem by updating the archive package?

Copy link

@Sommerrolle to my understanding, they were referring to a 3rd-party library. I believe the code above is still vulnerable since it doesn't do any validation/sanitization on the path.

Copy link

@ItalyPaleAle thanks for your answer!

I just added this snippet after line 32:
if !fs.ValidPath(target) { return &fs.PathError{Op: "open", Path: target, Err: fs.ErrInvalid} }
It is from the archive package

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment