Check for targets outside working directory for absolute symlinks.

PiperOrigin-RevId: 680726567
google · Oct 3, 2024 · c847401 · c847401
1 parent 9bf192d
commit c847401
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 22 deletions.
diff --git a/artifact/image/testfixtures/symlinks/Dockerfile b/artifact/image/testfixtures/symlinks/Dockerfile
@@ -13,10 +13,12 @@ RUN ln -s ./sample.txt /dir1/relative-dot-symlink.txt
 RUN ln -s sample.txt /dir1/relative-symlink.txt
 RUN ln -s absolute-symlink.txt /dir1/chain-symlink.txt
 RUN ln -s ../../secret.txt /dir1/attack-symlink.txt
+RUN ln -s /../secret.txt /dir1/attack-symlink-absolute.txt
 
 RUN ln -s ../../dir1/sample.txt /dir2/dir3/relative-subfolder-symlink.txt
 RUN ln -s /dir1/sample.txt /dir2/dir3/absolute-subfolder-symlink.txt
 RUN ln -s /dir1/chain-symlink.txt /dir2/dir3/absolute-chain-symlink.txt
+RUN ln -s /dir2/../dir1/sample.txt /dir2/dir3/absolute-symlink-inside-root.txt
 
 # - root
 #   - dir1
@@ -26,11 +28,13 @@ RUN ln -s /dir1/chain-symlink.txt /dir2/dir3/absolute-chain-symlink.txt
 #     - relative-symlink.txt -> sample.txt
 #     - chain-symlink.txt -> absolute-symlink.txt
 #     - attack-symlink.txt -> ../../secret.txt
+#     - attack-symlink-absolute.txt -> /../secret.txt
 #   - dir2
 #     - dir3
 #       - relative-subfolder-symlink.txt -> ../../dir1/sample.txt
 #       - absolute-subfolder-symlink.txt -> /dir1/sample.txt
 #       - absolute-chain-symlink.txt -> /dir1/chain-symlink.txt
+#       - absolute-symlink-inside-root.txt -> /dir2/../dir1/sample.txt
 
 FROM scratch
 

diff --git a/artifact/image/unpack/testdata/symlink.tar b/artifact/image/unpack/testdata/symlink.tar
diff --git a/artifact/image/unpack/unpack.go b/artifact/image/unpack/unpack.go
@@ -382,7 +382,7 @@ func unpack(dir string, reader io.Reader, symlinkResolution SymlinkResolution, s
 			target := header.Linkname
 			targetPath := target
 
-			if !filepath.IsAbs(target) && symlink.TargetOutsideRoot(cleanPath, target) {
+			if symlink.TargetOutsideRoot(cleanPath, target) {
 				log.Warnf("Found symlink that points outside the root, skipping: %q -> %q", cleanPath, target)
 				continue
 			}

diff --git a/artifact/image/unpack/unpack_test.go b/artifact/image/unpack/unpack_test.go
@@ -207,14 +207,15 @@ func TestUnpackSquashed(t *testing.T) {
 		}(),
 		image: mustImageFromPath(t, filepath.Join("testdata", "symlink.tar")),
 		want: map[string]contentAndMode{
-			filepath.FromSlash("dir1/absolute-symlink.txt"):                {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-			filepath.FromSlash("dir1/chain-symlink.txt"):                   {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-			filepath.FromSlash("dir1/relative-dot-symlink.txt"):            {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-			filepath.FromSlash("dir1/relative-symlink.txt"):                {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-			filepath.FromSlash("dir1/sample.txt"):                          {content: "sample text\n", mode: fs.FileMode(0644)},
-			filepath.FromSlash("dir2/dir3/absolute-chain-symlink.txt"):     {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-			filepath.FromSlash("dir2/dir3/absolute-subfolder-symlink.txt"): {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-			filepath.FromSlash("dir2/dir3/relative-subfolder-symlink.txt"): {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+			filepath.FromSlash("dir1/absolute-symlink.txt"):                  {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+			filepath.FromSlash("dir1/chain-symlink.txt"):                     {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+			filepath.FromSlash("dir1/relative-dot-symlink.txt"):              {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+			filepath.FromSlash("dir1/relative-symlink.txt"):                  {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+			filepath.FromSlash("dir1/sample.txt"):                            {content: "sample text\n", mode: fs.FileMode(0644)},
+			filepath.FromSlash("dir2/dir3/absolute-chain-symlink.txt"):       {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+			filepath.FromSlash("dir2/dir3/absolute-subfolder-symlink.txt"):   {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+			filepath.FromSlash("dir2/dir3/absolute-symlink-inside-root.txt"): {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+			filepath.FromSlash("dir2/dir3/relative-subfolder-symlink.txt"):   {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
 		},
 	}, {
 		name: "image with absolute path symlink but only the symlink is required",
@@ -389,17 +390,18 @@ func TestUnpackLayers(t *testing.T) {
 		want: []digestAndContent{{
 			digest: "SQUASHED",
 			content: map[string]contentAndMode{
-				filepath.FromSlash("dir1/absolute-symlink.txt"):                {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-				filepath.FromSlash("dir1/chain-symlink.txt"):                   {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-				filepath.FromSlash("dir1/relative-dot-symlink.txt"):            {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-				filepath.FromSlash("dir1/relative-symlink.txt"):                {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-				filepath.FromSlash("dir1/sample.txt"):                          {content: "sample text\n", mode: fs.FileMode(0644)},
-				"dir2/dir3/absolute-chain-symlink.txt":                         {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-				filepath.FromSlash("dir2/dir3/absolute-subfolder-symlink.txt"): {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-				filepath.FromSlash("dir2/dir3/relative-subfolder-symlink.txt"): {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+				filepath.FromSlash("dir1/absolute-symlink.txt"):                  {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+				filepath.FromSlash("dir1/chain-symlink.txt"):                     {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+				filepath.FromSlash("dir1/relative-dot-symlink.txt"):              {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+				filepath.FromSlash("dir1/relative-symlink.txt"):                  {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+				filepath.FromSlash("dir1/sample.txt"):                            {content: "sample text\n", mode: fs.FileMode(0644)},
+				"dir2/dir3/absolute-chain-symlink.txt":                           {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+				filepath.FromSlash("dir2/dir3/absolute-subfolder-symlink.txt"):   {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+				filepath.FromSlash("dir2/dir3/absolute-symlink-inside-root.txt"): {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+				filepath.FromSlash("dir2/dir3/relative-subfolder-symlink.txt"):   {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
 			},
 		}, {
-			digest: "sha256:5f09ece72b3eedea1a910b4b7450134b993c1c9196d46d5a258a21c16bc608f1",
+			digest: "sha256:db9f8289eaba906083fe31e9a2ba276097a6ba1d2e9482ddf06398644393ac12",
 			content: map[string]contentAndMode{
 				filepath.FromSlash("dir1/absolute-symlink.txt"):     {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
 				filepath.FromSlash("dir1/chain-symlink.txt"):        {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
@@ -408,11 +410,12 @@ func TestUnpackLayers(t *testing.T) {
 				filepath.FromSlash("dir1/sample.txt"):               {content: "sample text\n", mode: fs.FileMode(0644)},
 			},
 		}, {
-			digest: "sha256:685207dee3dc9ffe6690c5eaa3a0e43c45f6493513e72b8ba6118931725c2436",
+			digest: "sha256:1c7d64a26513bdb1e2d899938b14150e4ed3bc74afc23e9cb23442a282b7af4c",
 			content: map[string]contentAndMode{
-				filepath.FromSlash("dir2/dir3/absolute-chain-symlink.txt"):     {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-				filepath.FromSlash("dir2/dir3/absolute-subfolder-symlink.txt"): {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
-				filepath.FromSlash("dir2/dir3/relative-subfolder-symlink.txt"): {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+				filepath.FromSlash("dir2/dir3/absolute-chain-symlink.txt"):       {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+				filepath.FromSlash("dir2/dir3/absolute-subfolder-symlink.txt"):   {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+				filepath.FromSlash("dir2/dir3/absolute-symlink-inside-root.txt"): {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
+				filepath.FromSlash("dir2/dir3/relative-subfolder-symlink.txt"):   {content: "sample text\n", mode: fs.ModeSymlink | fs.FileMode(0777)},
 			},
 		}},
 	}, {