-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for symlink when untarring an archive #60
Comments
Was just burned by this through Nomad. |
@tonyarkles same here. Since I'm using the raw_exec driver, I used tar as a workaround to extract the archive. I also extract the archive outside nomad's directory.
|
This is breaking us in production :/ Is there an ETA for a fix? |
Looks there is a PR for that, haven't got in. |
👍 nice what’s the blocker on merging?
On Fri, 22 Feb 2019 at 18:15, johnzhanghua ***@***.***> wrote:
#37 <#37>
Looks there is a PR for that, haven't got in.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#60 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABOv-gWqDIYxPH1oRBDUe-Y2w1LQsldhks5vP6cggaJpZM4NOOn7>
.
--
James Mills / prologic
E: [email protected]
W: prologic.shortcircuit.net.au
|
As a temporary fix we may be able to build our own Nomad until this PR
gets merged
On Fri, 22 Feb 2019 at 18:34, James Mills <[email protected]>
wrote:
👍 nice what’s the blocker on merging?
On Fri, 22 Feb 2019 at 18:15, johnzhanghua ***@***.***>
wrote:
> #37 <#37>
>
> Looks there is a PR for that, haven't got in.
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <#60 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/ABOv-gWqDIYxPH1oRBDUe-Y2w1LQsldhks5vP6cggaJpZM4NOOn7>
> .
>
--
James Mills / prologic
E: ***@***.***
W: prologic.shortcircuit.net.au
--
James Mills / prologic
E: [email protected]
W: prologic.shortcircuit.net.au
|
I might also take this PR and re-factor into a new one because it’s over
two years old and the original comments were not addressed
On Fri, 22 Feb 2019 at 18:39, johnzhanghua ***@***.***> wrote:
Yes. Looks we need to do that. Can't wait. I will have a go for that
tomorrow. With the symbol link fix. You do the packaging extraction.
Thanks,
John
On Fri, 22 Feb 2019 at 6:36 pm, James Mills ***@***.***>
wrote:
> As a temporary fix we may be able to build our own Nomad until this PR
> gets merged
>
> On Fri, 22 Feb 2019 at 18:34, James Mills ***@***.***>
> wrote:
>
> > 👍 nice what’s the blocker on merging?
> >
> > On Fri, 22 Feb 2019 at 18:15, johnzhanghua ***@***.***>
> > wrote:
> >
> >> #37 <#37>
> >>
> >> Looks there is a PR for that, haven't got in.
> >>
> >> —
> >> You are receiving this because you commented.
> >> Reply to this email directly, view it on GitHub
> >> <
> #60 (comment)
>,
> >> or mute the thread
> >> <
>
https://github.com/notifications/unsubscribe-auth/ABOv-gWqDIYxPH1oRBDUe-Y2w1LQsldhks5vP6cggaJpZM4NOOn7
> >
> >> .
> >>
> > --
> >
> > James Mills / prologic
> >
> > E: ***@***.***
> > W: prologic.shortcircuit.net.au
> >
> --
>
> James Mills / prologic
>
> E: ***@***.***
> W: prologic.shortcircuit.net.au
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <#60 (comment)
>,
> or mute the thread
> <
https://github.com/notifications/unsubscribe-auth/AQxeL-zXh6kM0d6Mnflsm2Zt1P3bG1dRks5vP6wKgaJpZM4NOOn7
>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#60 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABOv-uzj-0pg4CKqmVkAv06jzZtyPhKMks5vP6zMgaJpZM4NOOn7>
.
--
James Mills / prologic
E: [email protected]
W: prologic.shortcircuit.net.au
|
Before I do; I'd love it if someone from Hashicorp commented on this with some more recent context/update. |
Hey @prologic ! I would love to review such a PR, I don't have much context to add here and also nothing to add on top of the original code review. We just have to make sure it works on all OSes and unit (ci) tests are green on all platforms 🙂. |
👍
On Mon, 25 Feb 2019 at 18:08, Adrien Delorme ***@***.***> wrote:
Hey @prologic <https://github.com/prologic> ! I would love to review such
a PR, I don't have much context to add here and also nothing to add on to
of the original code review. We just have to make sure it works on all OSes
and unit tests are ran on all platforms 🙂.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#60 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABOv-sXz2rAF27FDTYB9atLkvRpTnwv5ks5vQ5nogaJpZM4NOOn7>
.
--
James Mills / prologic
E: [email protected]
W: prologic.shortcircuit.net.au
|
I needed to support extracting symlinks in Tar archives myself internally at our company with the package manager we're writing to support Nomad. I thought I may as well (at the same time) rethink/resolve what was attempted here and came across the securejoin library. It appears ti on inspection of the code and testing solve exactly what we need to address symlink security issues that were present in #171 I'd love it if someone could also confirm the validity of using this library which itself is slated to go into the Go standard library. (not point reinventing the wheel on this one!) If happy I can resubmit a slightly improved version of #171 with added tests for verifications that we don't escape the chroot directory being extracted to in any way. |
While it's difficult to determine whether or not it's safe to trust a 3rd party library, the list of projects using SecureJoin gives me quite a bit of confidence (helm, opencontainers, jessfraz, etc). The reasons given in #171 to reject it from the stdlib don't seem to apply to go-getter's use case. If I can attempt to summarize them:
tl;dr - Yes! This should work! I think as long as you include some symlink root path escape tests we can accept tar symlink implementations using this library. |
I actually tried to look for the C source to GNU Tar (I found the source) but I wasn't able to find the code that protects against chroot escapeing :/ (I only looked in obvious |
@schmichael PR #129 is a new implementation as we discussed in comments above and ensures we don't escape the path we're extracting in to. |
Operating System:
Ubuntu 16.04
Issue:
When a tarball has symlink inside it, go-getter turns the symlink into zero-length file. One benefit of having go-getter support this would be with respect to Nomad specifically with the artifact stanza https://www.nomadproject.io/docs/job-specification/artifact.html, since some tarball could contain symlink in it.
Repro:
python -m SimpleHTTPServer 8000
go-getter http://127.0.0.1:8000/test_dir.tar.gz ~/
The text was updated successfully, but these errors were encountered: