Firstyear / obs-service-cargo

OBS Source Service and utilities for Rust software packaging
Mozilla Public License 2.0
16 stars 9 forks source link

Remove insecure archive decompression #11

Closed Firstyear closed 4 years ago

Firstyear commented 4 years ago

As part of the process to integrate this tool to obs, a security was undertaken at SUSE. It was highlighted that the use of Tarfile is unsafe, and may be exploitable via untrusted tar archives from a malicious party. A number of suggestions were discussed. Python has been attempting to develop a safetar module, but it's not ready yet. Another option was attempting a chroot with nsjail. However, this would mean manually calling tar with subprocess, leading to other complications, and nsjail has about 3000 tunables which unless configured properly could still be an issue.

Instead, a simpler approach exists - it's not our problem. We only need to perform cargo vendor in a source directory. obs_scm as part of it's operation already creates a directory like this that we can use. It's not only faster (saving a decompression step), but simpler, and completely avoids all security issues associated with tar file decompression.

If a project is not able to use obs_scm, and would need decompression this becomes "not our problem" - it would be the task of a seperate obs module to provide a decompression service to allow the source to be fed to cargo vendor.

Of course, this is a breaking change as we remove a number of options, and add others, but it's a change that leads toward inclusion in OBS as a true server side service. I have already tested this with some projects and can confirm it works.

Author: William Brown

Firstyear commented 4 years ago

I may update this to clean up the readme, but I won't change the code.

Firstyear commented 4 years ago

Great, thank you! When you're ready if you do a release/tag of the version, I'll go through the obs update process and finish work with the security teams to hopefully get this as an active service in obs proper. Much appreciated.

saschagrunert commented 4 years ago

Thank you, I’ve drafted v0.4.0.