Security issue: zip slip attacks

[aidbal]

Describe the bug Hello,

There is a security issue in your code base. Similar issue was found in SSLyze repo: https://github.com/nabla-c0d3/sslyze/issues/535

The code in build_task.py is using tarfile's extractall method, which is not protected and can be exploited by zip slip attacks.

https://github.com/nabla-c0d3/nassl/blob/release/build_tasks.py#L101

More info about zip slip:

• https://snyk.io/research/zip-slip-vulnerability
• https://www.youtube.com/watch?v=l1MT5lr4p9o

Basically, when extracting the files from the archive, this code is not validating the file name.

If this file is named something like ../../../../../../../filename.py, the extraction process will extract it to the root system.

This is a known issue within tarfile library (https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall):

Warning

Never extract archives from untrusted sources without prior inspection.

It is possible that files are created outside of path, e.g. members that have absolute filenames starting with "/" or filenames with two dots "..". 

How to fix this

Ideally, this should be fixed in tarfile library itself.

However, 7 years have passed since the report and there is no news when that is going to be fixed: https://bugs.python.org/issue21109

What we can do here, is just before extracting the file, get it's canonical destination path and ensure that that path matches the expected extract directory.

[nabla-c0d3]

Hello, Thanks for the report! I've checked and updated all the URLs for downloading archives to HTTPS. This ensures that the archives are trusted.