Skip to content

Instantly share code, notes, and snippets.

@sdomino
Last active August 27, 2023 04:00
Show Gist options
  • Save sdomino/635a5ed4f32c93aad131 to your computer and use it in GitHub Desktop.
Save sdomino/635a5ed4f32c93aad131 to your computer and use it in GitHub Desktop.
// Untar takes a destination path and a reader; a tar reader loops over the tarfile
// creating the file structure at 'dst' along the way, and writing any files
func Untar(dst string, r io.Reader) error {
gzr, err := gzip.NewReader(r)
if err != nil {
return err
}
defer gzr.Close()
tr := tar.NewReader(gzr)
for {
header, err := tr.Next()
switch {
// if no more files are found return
case err == io.EOF:
return nil
// return any other error
case err != nil:
return err
// if the header is nil, just skip it (not sure how this happens)
case header == nil:
continue
}
// the target location where the dir/file should be created
target := filepath.Join(dst, header.Name)
// the following switch could also be done using fi.Mode(), not sure if there
// a benefit of using one vs. the other.
// fi := header.FileInfo()
// check the file type
switch header.Typeflag {
// if its a dir and it doesn't exist create it
case tar.TypeDir:
if _, err := os.Stat(target); err != nil {
if err := os.MkdirAll(target, 0755); err != nil {
return err
}
}
// if it's a file create it
case tar.TypeReg:
f, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
if err != nil {
return err
}
// copy over contents
if _, err := io.Copy(f, tr); err != nil {
return err
}
// manually close here after each file operation; defering would cause each file close
// to wait until all operations have completed.
f.Close()
}
}
}
@surajnarwade
Copy link

How to write unit test for the same ?

@ItalyPaleAle
Copy link

Just wanted to point out that this code is vulnerable to a zip-slip attack: https://snyk.io/research/zip-slip-vulnerability On line 32, you should validate the target by using a solution like the one proposed in the link

@bozdoz
Copy link

bozdoz commented Nov 12, 2022

How can this account for symlinks?

@Ninroot
Copy link

Ninroot commented Jan 9, 2023

How can this account for symlinks?

case tar.TypeSymlink:
    err := os.Symlink(header.Linkname, target)
    if err != nil {
        return err
    }

@Sommerrolle
Copy link

Sommerrolle commented Jan 23, 2023

Just wanted to point out that this code is vulnerable to a zip-slip attack: https://snyk.io/research/zip-slip-vulnerability On line 32, you should validate the target by using a solution like the one proposed in the link

@ItalyPaleAle Hey in the article it says in the go section:
"The Go ecosystem only has one vulnerable library that we found which was fixed within two days of us disclosing the issue."

So is this code still vulnerable? Or did the go team handle this problem by updating the archive package?

@ItalyPaleAle
Copy link

@Sommerrolle to my understanding, they were referring to a 3rd-party library. I believe the code above is still vulnerable since it doesn't do any validation/sanitization on the path.

@Sommerrolle
Copy link

@ItalyPaleAle thanks for your answer!

I just added this snippet after line 32:
if !fs.ValidPath(target) { return &fs.PathError{Op: "open", Path: target, Err: fs.ErrInvalid} }
It is from the archive package

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment