fix: Improve Path Boundary Validation in SafeTarExtractor#1580
Open
sarv-tech wants to merge 1 commit into
Open
fix: Improve Path Boundary Validation in SafeTarExtractor#1580sarv-tech wants to merge 1 commit into
sarv-tech wants to merge 1 commit into
Conversation
|
Someone is attempting to deploy a commit to the Anuj's projects Team on Vercel. A member of the Team first needs to authorize it. |
Author
|
@steam-bell-92 I've created PR review approve and add labels as well |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📖 Description
This Pull Request strengthens the directory boundary validation mechanisms within
SafeTarExtractor(security/tar_safe.py) to prevent path traversal attempts.The Problem:
Previously, the
_validate_memberfunction relied on string prefix comparisons (target_str.startswith(extract_str)) to verify that an extracted file remains inside the intended destination directory. This approach is vulnerable to "Partial Path Traversal" bypasses. Because it evaluates raw strings without enforcing directory separators, an attacker can extract files to a sibling directory that shares the same prefix (e.g., if the destination is/tmp/extracted, a payload pointing to../extracted_evil/file.txtsuccessfully bypasses the validation).The Solution:
This PR replaces the flawed prefix-based string validation with
os.path.commonpath(). The new implementation evaluates the resolved paths structurally, guaranteeing that the extracted file strictly resides within the parent hierarchy of the target directory.🛠️ Implementation Details
str.startswith()withos.path.commonpath()in both the primary.resolve()block and the.absolute()fallback block.ValueErrorhandling foros.path.commonpath(). On Windows, this error is raised if paths reside on different drives (which fundamentally constitutes a traversal escape). This is safely caught and mapped to anUnsafeTarError.extractmethod signatures, and exception types remain perfectly intact.🔄 Type of Change
🧪 How Has This Been Tested?
Comprehensive regression tests were added and executed successfully against the updated code.
New Tests Added in
tests/test_security.py:test_sibling_directory_traversal: Verifies that payloads targeting sibling directories sharing a common prefix (../extracted_evil/evil.txt) are successfully rejected.test_absolute_path_traversal: Verifies that absolute path payloads (/tmp/evil_absolute.txt) are strictly blocked.test_nested_valid_directories: Verifies that standard deep-nested directories continue to extract correctly without false positives.Execution Results:
pytest tests/ -vcompletes flawlessly (59/59 tests passing, 0 skips, 0 failures).✅ Checklist
fix #1578