Merge pull request #6311 from hashicorp/testtarparent

tar path traversal test
2018-05-25 12:19:15 -07:00 · 2018-05-25 12:19:15 -07:00 · 8d8a9146ca
parent cd6390ca17 788418cff2
commit 8d8a9146ca
3 changed files with 26 additions and 0 deletions
--- a/common/test-fixtures/decompress-tar/outside_parent.tar
+++ b/common/test-fixtures/decompress-tar/outside_parent.tar
--- a/post-processor/vagrant/virtualbox.go
+++ b/post-processor/vagrant/virtualbox.go
@ -133,7 +133,15 @@ func DecompressOva(dir, src string) error {
 		if hdr == nil || err == io.EOF {
 			break
 		}
+		if err != nil {
+			return err
+		}

+		// We use the fileinfo to get the file name because we are not
+		// expecting path information as from the tar header. It's important
+		// that we not use the path name from the tar header without checking
+		// for the presence of `..`. If we accidentally allow for that, we can
+		// open ourselves up to a path traversal vulnerability.
 		info := hdr.FileInfo()

 		// Shouldn't be any directories, skip them
--- a/post-processor/vagrant/virtualbox_test.go
+++ b/post-processor/vagrant/virtualbox_test.go
@ -1,9 +1,27 @@
 package vagrant

 import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )

 func TestVBoxProvider_impl(t *testing.T) {
 	var _ Provider = new(VBoxProvider)
 }
+
+func TestDecomressOVA(t *testing.T) {
+	td, err := ioutil.TempDir("", "pp-vagrant-virtualbox")
+	assert.NoError(t, err)
+	fixture := "../../common/test-fixtures/decompress-tar/outside_parent.tar"
+	err = DecompressOva(td, fixture)
+	assert.NoError(t, err)
+	_, err = os.Stat(filepath.Join(filepath.Base(td), "demo.poc"))
+	assert.Error(t, err)
+	_, err = os.Stat(filepath.Join(td, "demo.poc"))
+	assert.NoError(t, err)
+	os.RemoveAll(td)
+}