[release-branch.go1.17] archive/zip: don't panic on (*Reader).Open

Jason7602 · FiloSottile · katiehockman · commit b212ba68296b · 2021-11-03T16:57:44.000Z
Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or ".." path elements. Open could also panic if passed the empty string directly as an argument. Now, any files in the zip whose name could not be made valid for fs.FS.Open will be skipped, and no longer added to the fs.FS file list, although they are still accessible through (*Reader).File. Note that it was already the case that a file could be accessible from (*Reader).Open with a name different from the one in (*Reader).File, as the former is the cleaned name, while the latter is the original one. Finally, made the actual panic site robust as a defense-in-depth measure. Fixes CVE-2021-41772 Fixes #48252 Updates #48085 Co-authored-by: Filippo Valsorda <filippo@golang.org> Change-Id: I6271a3f2892e7746f52e213b8eba9a1bba974678 Reviewed-on: https://go-review.googlesource.com/c/go/+/349770 Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Katie Hockman <katie@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Trust: Katie Hockman <katie@golang.org> Trust: Julie Qiu <julie@golang.org> (cherry picked from commit b246873) Reviewed-on: https://go-review.googlesource.com/c/go/+/360859 Trust: Dmitri Shuralyov <dmitshur@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Go Bot <gobot@golang.org>
diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
@@ -741,6 +741,9 @@ func (r *Reader) initFileList() {
 		for _, file := range r.File {
 			isDir := len(file.Name) > 0 && file.Name[len(file.Name)-1] == '/'
 			name := toValidName(file.Name)
+			if name == "" {
+				continue
+			}
 			for dir := path.Dir(name); dir != "."; dir = path.Dir(dir) {
 				dirs[dir] = true
 			}
@@ -782,8 +785,11 @@ func fileEntryLess(x, y string) bool {
 func (r *Reader) Open(name string) (fs.File, error) {
 	r.initFileList()
 
+	if !fs.ValidPath(name) {
+		return nil, &fs.PathError{Op: "open", Path: name, Err: fs.ErrInvalid}
+	}
 	e := r.openLookup(name)
-	if e == nil || !fs.ValidPath(name) {
+	if e == nil {
 		return nil, &fs.PathError{Op: "open", Path: name, Err: fs.ErrNotExist}
 	}
 	if e.isDir {
@@ -797,7 +803,7 @@ func (r *Reader) Open(name string) (fs.File, error) {
 }
 
 func split(name string) (dir, elem string, isDir bool) {
-	if name[len(name)-1] == '/' {
+	if len(name) > 0 && name[len(name)-1] == '/' {
 		isDir = true
 		name = name[:len(name)-1]
 	}
diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
@@ -13,6 +13,7 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"reflect"
 	"regexp"
 	"strings"
 	"testing"
@@ -1202,6 +1203,15 @@ func TestCVE202127919(t *testing.T) {
 	if err != nil {
 		t.Errorf("Error reading file: %v", err)
 	}
+	if len(r.File) != 1 {
+		t.Fatalf("No entries in the file list")
+	}
+	if r.File[0].Name != "../test.txt" {
+		t.Errorf("Unexpected entry name: %s", r.File[0].Name)
+	}
+	if _, err := r.File[0].Open(); err != nil {
+		t.Errorf("Error opening file: %v", err)
+	}
 }
 
 func TestReadDataDescriptor(t *testing.T) {
@@ -1402,3 +1412,121 @@ func TestCVE202139293(t *testing.T) {
 		t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
 	}
 }
+
+func TestCVE202141772(t *testing.T) {
+	// Archive contains a file whose name is exclusively made up of '/', '\'
+	// characters, or "../", "..\" paths, which would previously cause a panic.
+	//
+	//  Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
+	// --------  ------  ------- ---- ---------- ----- --------  ----
+	//        0  Stored        0   0% 08-05-2021 18:32 00000000  /
+	//        0  Stored        0   0% 09-14-2021 12:59 00000000  //
+	//        0  Stored        0   0% 09-14-2021 12:59 00000000  \
+	//       11  Stored       11   0% 09-14-2021 13:04 0d4a1185  /test.txt
+	// --------          -------  ---                            -------
+	//       11               11   0%                            4 files
+	data := []byte{
+		0x50, 0x4b, 0x03, 0x04, 0x0a, 0x00, 0x00, 0x08,
+		0x00, 0x00, 0x06, 0x94, 0x05, 0x53, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2f, 0x50,
+		0x4b, 0x03, 0x04, 0x0a, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x78, 0x67, 0x2e, 0x53, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x02, 0x00, 0x00, 0x00, 0x2f, 0x2f, 0x50,
+		0x4b, 0x03, 0x04, 0x0a, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x78, 0x67, 0x2e, 0x53, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x01, 0x00, 0x00, 0x00, 0x5c, 0x50, 0x4b,
+		0x03, 0x04, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x91, 0x68, 0x2e, 0x53, 0x85, 0x11, 0x4a, 0x0d,
+		0x0b, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00,
+		0x09, 0x00, 0x00, 0x00, 0x2f, 0x74, 0x65, 0x73,
+		0x74, 0x2e, 0x74, 0x78, 0x74, 0x68, 0x65, 0x6c,
+		0x6c, 0x6f, 0x20, 0x77, 0x6f, 0x72, 0x6c, 0x64,
+		0x50, 0x4b, 0x01, 0x02, 0x14, 0x03, 0x0a, 0x00,
+		0x00, 0x08, 0x00, 0x00, 0x06, 0x94, 0x05, 0x53,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
+		0xed, 0x41, 0x00, 0x00, 0x00, 0x00, 0x2f, 0x50,
+		0x4b, 0x01, 0x02, 0x3f, 0x00, 0x0a, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x78, 0x67, 0x2e, 0x53, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x02, 0x00, 0x24, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00,
+		0x00, 0x1f, 0x00, 0x00, 0x00, 0x2f, 0x2f, 0x0a,
+		0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+		0x00, 0x18, 0x00, 0x93, 0x98, 0x25, 0x57, 0x25,
+		0xa9, 0xd7, 0x01, 0x93, 0x98, 0x25, 0x57, 0x25,
+		0xa9, 0xd7, 0x01, 0x93, 0x98, 0x25, 0x57, 0x25,
+		0xa9, 0xd7, 0x01, 0x50, 0x4b, 0x01, 0x02, 0x3f,
+		0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x78,
+		0x67, 0x2e, 0x53, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+		0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x20, 0x00, 0x00, 0x00, 0x3f, 0x00, 0x00,
+		0x00, 0x5c, 0x0a, 0x00, 0x20, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x01, 0x00, 0x18, 0x00, 0x93, 0x98,
+		0x25, 0x57, 0x25, 0xa9, 0xd7, 0x01, 0x93, 0x98,
+		0x25, 0x57, 0x25, 0xa9, 0xd7, 0x01, 0x93, 0x98,
+		0x25, 0x57, 0x25, 0xa9, 0xd7, 0x01, 0x50, 0x4b,
+		0x01, 0x02, 0x3f, 0x00, 0x0a, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x91, 0x68, 0x2e, 0x53, 0x85, 0x11,
+		0x4a, 0x0d, 0x0b, 0x00, 0x00, 0x00, 0x0b, 0x00,
+		0x00, 0x00, 0x09, 0x00, 0x24, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
+		0x5e, 0x00, 0x00, 0x00, 0x2f, 0x74, 0x65, 0x73,
+		0x74, 0x2e, 0x74, 0x78, 0x74, 0x0a, 0x00, 0x20,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x18,
+		0x00, 0xa9, 0x80, 0x51, 0x01, 0x26, 0xa9, 0xd7,
+		0x01, 0x31, 0xd1, 0x57, 0x01, 0x26, 0xa9, 0xd7,
+		0x01, 0xdf, 0x48, 0x85, 0xf9, 0x25, 0xa9, 0xd7,
+		0x01, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x00, 0x00,
+		0x00, 0x04, 0x00, 0x04, 0x00, 0x31, 0x01, 0x00,
+		0x00, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00,
+	}
+	r, err := NewReader(bytes.NewReader([]byte(data)), int64(len(data)))
+	if err != nil {
+		t.Fatalf("Error reading the archive: %v", err)
+	}
+	entryNames := []string{`/`, `//`, `\`, `/test.txt`}
+	var names []string
+	for _, f := range r.File {
+		names = append(names, f.Name)
+		if _, err := f.Open(); err != nil {
+			t.Errorf("Error opening %q: %v", f.Name, err)
+		}
+		if _, err := r.Open(f.Name); err == nil {
+			t.Errorf("Opening %q with fs.FS API succeeded", f.Name)
+		}
+	}
+	if !reflect.DeepEqual(names, entryNames) {
+		t.Errorf("Unexpected file entries: %q", names)
+	}
+	if _, err := r.Open(""); err == nil {
+		t.Errorf("Opening %q with fs.FS API succeeded", "")
+	}
+	if _, err := r.Open("test.txt"); err != nil {
+		t.Errorf("Error opening %q with fs.FS API: %v", "test.txt", err)
+	}
+	dirEntries, err := fs.ReadDir(r, ".")
+	if err != nil {
+		t.Fatalf("Error reading the root directory: %v", err)
+	}
+	if len(dirEntries) != 1 || dirEntries[0].Name() != "test.txt" {
+		t.Errorf("Unexpected directory entries")
+		for _, dirEntry := range dirEntries {
+			_, err := r.Open(dirEntry.Name())
+			t.Logf("%q (Open error: %v)", dirEntry.Name(), err)
+		}
+		t.FailNow()
+	}
+	info, err := dirEntries[0].Info()
+	if err != nil {
+		t.Fatalf("Error reading info entry: %v", err)
+	}
+	if name := info.Name(); name != "test.txt" {
+		t.Errorf("Inconsistent name in info entry: %v", name)
+	}
+}
