systar: Create file after header checks

filecoin-project · Sep 19, 2022 · a05593d · a05593d
1 parent fec9c0f
commit a05593d
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/storage/sealer/tarutil/systar.go b/storage/sealer/tarutil/systar.go
@@ -5,6 +5,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 
 	logging "github.com/ipfs/go-log/v2"
 	"golang.org/x/xerrors"
@@ -87,13 +88,6 @@ func ExtractTar(body io.Reader, dir string, buf []byte) (int64, error) {
 		case nil:
 		}
 
-		//nolint:gosec
-		f, err := os.Create(filepath.Join(dir, header.Name))
-		if err != nil {
-			//nolint:gosec
-			return read, xerrors.Errorf("creating file %s: %w", filepath.Join(dir, header.Name), err)
-		}
-
 		sz, found := CacheFileConstraints[header.Name]
 		if !found {
 			return read, xerrors.Errorf("tar file %#v isn't expected")
@@ -102,6 +96,17 @@ func ExtractTar(body io.Reader, dir string, buf []byte) (int64, error) {
 			return read, xerrors.Errorf("tar file %#v is bigger than expected: %d > %d", header.Name, header.Size, sz)
 		}
 
+		out := filepath.Join(dir, header.Name) //nolint:gosec
+
+		if !strings.HasPrefix(out, filepath.Clean(dir)) {
+			return read, xerrors.Errorf("unsafe tar path %#v (must be within %#v)", out, filepath.Clean(dir))
+		}
+
+		f, err := os.Create(out)
+		if err != nil {
+			return read, xerrors.Errorf("creating file %s: %w", out, err)
+		}
+
 		ltr := io.LimitReader(tr, header.Size)
 
 		r, err := io.CopyBuffer(f, ltr, buf)