systar: Create file after header checks

filecoin-project · Sep 14, 2022 · 495bc4a · 495bc4a
1 parent 60f8533
commit 495bc4a
Showing 1 changed file with 13 additions and 7 deletions.
diff --git a/storage/sealer/tarutil/systar.go b/storage/sealer/tarutil/systar.go
@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"
 
 	logging "github.com/ipfs/go-log/v2"
 	"golang.org/x/xerrors"
@@ -88,13 +89,6 @@ func ExtractTar(body io.Reader, dir string, buf []byte) (int64, error) {
 		case nil:
 		}
 
-		//nolint:gosec
-		f, err := os.Create(filepath.Join(dir, header.Name))
-		if err != nil {
-			//nolint:gosec
-			return read, xerrors.Errorf("creating file %s: %w", filepath.Join(dir, header.Name), err)
-		}
-
 		sz, found := CacheFileConstraints[header.Name]
 		if !found {
 			return read, xerrors.Errorf("tar file %#v isn't expected")
@@ -103,6 +97,18 @@ func ExtractTar(body io.Reader, dir string, buf []byte) (int64, error) {
 			return read, xerrors.Errorf("tar file %#v is bigger than expected: %d > %d", header.Name, header.Size, sz)
 		}
 
+		//nolint:gosec - we check this path before and after this join
+		out := filepath.Join(dir, header.Name)
+
+		if !strings.HasPrefix(out, filepath.Clean(dir)) {
+			return read, xerrors.Errorf("unsafe tar path %#v (must be within %#v)", out, filepath.Clean(dir))
+		}
+
+		f, err := os.Create(out)
+		if err != nil {
+			return read, xerrors.Errorf("creating file %s: %w", out, err)
+		}
+
 		ltr := io.LimitReader(tr, header.Size)
 
 		r, err := io.CopyBuffer(f, ltr, buf)