search

buildinspace / peru

a generic package manager, for including other people's code in your projects
MIT License
1.12k stars 69 forks source link

check for tarballs containing sketchy symlinks #232

Closed oconnor663 closed 1 year ago

oconnor663 commented 1 year ago

It's acceptable for a tarball to have a symlink at a/b/c/foo.txt that points to ../../../foo.txt (see legal_symlink_dots.tar), because that symlink "stays within" the archive. However, it should be illegal for the same symlink to point to ../../../../foo.txt (see illegal_symlink_dots.tar), because that symlink "reaches outside" the archive. Similarly, it should always be illegal for a tarball to hold a symlink pointing to an absolute path.

Add validation and tests cases for these behaviors.

TODO: Can zip archives hold symlinks?

oconnor663 commented 1 year ago

I'm submitting an upstream docs PR related to this: https://github.com/python/cpython/pull/101812