search

OWASP / pysap

pysap is an open source Python library that provides modules for crafting and sending packets using SAP's NI, Diag, Enqueue, Router, MS, SNC, IGS, RFC and HDB protocols.
https://owasp.org/www-project-core-business-application-security/
GNU General Public License v2.0
220 stars 61 forks source link

Specify output directory when extracting SAPCAR archives #23

Closed okuuva closed 6 years ago

okuuva commented 6 years ago

pysapcar script currently follows the SAPCAR cli tool specifications, where it stores and extracts files with absolute path names. While I understand the logic behind it to preserve compatibility with official tooling, it's a tremendous security risk: one could accidentally overwrite system libraries and binaries by extracting an archive without listing the contents first. Even when checking the file listing beforehand, there's no way to safely extract an archive containing e.g. /usr/bin/bash with absolute pathname.

I suggest adding a -o outdir option to pysapcar script. This way we could maintain the compatibility with official SAPCAR tool while having a way to safely extract SAPCAR archives which have been compressed with absolute file paths.

I'm happy to submit a pull request on this issue :)

martingalloar commented 6 years ago

I think that would be great, as long as we keep the functionality of adding arbitrary path names to a given file, which was the main purpose or implementing the tool. Appreciate and looking forward to the PR!

okuuva commented 6 years ago

Sure, specifying outputdir only affects extraction and I made it optional so by default extraction works exactly like in the original tooling.