attempt to resolve symlink problems

djdv · djdv · commit 6fa166559609 · 2018-04-06T12:59:07.000-04:00
diff --git a/extractor.go b/extractor.go
@@ -11,8 +11,11 @@ import (
 )
 
 type Extractor struct {
-	Path     string
-	Progress func(int64) int64
+	Path          string
+	Progress      func(int64) int64
+	sanitizePaths bool
+	sanitizeLinks bool
+	stubLinks     bool
 }
 
 func (te *Extractor) Extract(reader io.Reader) error {
@@ -61,13 +64,40 @@ func (te *Extractor) Extract(reader io.Reader) error {
 	return nil
 }
 
+// Sanitize toggles all output sanitation rules
+func (te *Extractor) Sanitize(toggle bool) {
+	te.sanitizePaths = toggle
+	te.sanitizeLinks = toggle
+}
+
+// SanitizePaths toggles converting illegal paths to valid paths on Extract
+func (te *Extractor) SanitizePaths(toggle bool) {
+	te.sanitizePaths = toggle
+
+}
+
+// SanitizeLinks toggles failure for links that are absolute or escape the output root on Extract
+func (te *Extractor) SanitizeLinks(toggle bool) {
+	te.sanitizeLinks = toggle
+}
+
+// StubLinks toggles link stubbing. When enabled, all links are created as empty files instead of links
+func (te *Extractor) StubLinks(toggle bool) {
+	te.stubLinks = toggle
+}
+
 // outputPath returns the path at which to place tarPath
 func (te *Extractor) outputPath(tarPath string) string {
-	elems := strings.Split(tarPath, "/")  // break into elems
-	elems = elems[1:]                     // remove IPFS root
-	safePath := platformSanitize(elems)   // sanitize IPFS path to be platform legal
-	safePath = fp.Join(te.Path, safePath) // rebase on to extraction target root
-	return safePath
+	var outPath string
+	elems := strings.Split(tarPath, "/") // break into elems
+	elems = elems[1:]                    // remove original root
+	if te.sanitizePaths {
+		outPath = platformSanitize(elems) // sanitize base path elements to be platform legal
+	} else {
+		outPath = fp.Join(elems...) // join elems
+	}
+	outPath = fp.Join(te.Path, outPath) // rebase on to extraction target root
+	return outPath
 }
 
 func (te *Extractor) extractDir(h *tar.Header, depth int) error {
@@ -82,6 +112,14 @@ func (te *Extractor) extractDir(h *tar.Header, depth int) error {
 }
 
 func (te *Extractor) extractSymlink(h *tar.Header) error {
+	if te.stubLinks {
+		f, err := os.Create(te.outputPath(h.Name))
+		f.Close()
+		return err
+	}
+	if te.sanitizeLinks {
+		return platformLink(te.Path, h.Linkname, te.outputPath(h.Name))
+	}
 	return os.Symlink(h.Linkname, te.outputPath(h.Name))
 }
 
diff --git a/sanitize.go b/sanitize.go
@@ -2,8 +2,29 @@
 
 package tar
 
-import "path/filepath"
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+)
 
 func platformSanitize(pathElements []string) string {
 	return filepath.Join(pathElements...)
 }
+
+//func platformLink(target, link string) error {
+//func platformLink(linkBase string, linkHeader *tar.Header) error {
+func platformLink(targetRoot, target, link string) error {
+	//prevent symlinks from accessing outside of the output root
+	resolvedTarget := filepath.Join(target, link)
+	rel, err := filepath.Rel(targetRoot, resolvedTarget)
+	if err != nil {
+		return err
+	}
+	if strings.HasPrefix(rel, "..") {
+		return fmt.Errorf("Symlink target %q escapes target root %q", target, targetRoot)
+	}
+	return os.Symlink(target, link)
+	//return os.Symlink(h.Linkname, linkBase te.outputPath(h.Name))
+}
diff --git a/sanitize_windows.go b/sanitize_windows.go
@@ -3,9 +3,12 @@ package tar
 import (
 	"fmt"
 	"net/url"
+	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
+
+	"golang.org/x/sys/windows"
 )
 
 //https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx
@@ -20,6 +23,8 @@ func init() {
 }
 
 func platformSanitize(pathElements []string) string {
+	//FIXME: what if a path starts with `\`
+
 	//first pass: strip illegal tail & prefix reserved names `CON .` -> `_CON`
 	for pi := range pathElements {
 		pathElements[pi] = strings.TrimRight(pathElements[pi], ". ") //MSDN: Do not end a file or directory name with a space or a period
@@ -54,3 +59,38 @@ func platformSanitize(pathElements []string) string {
 
 	return filepath.FromSlash(res)
 }
+
+func platformLink(targetRoot, target, link string) error {
+	if filepath.IsAbs(target) {
+		return fmt.Errorf("Link target %q is an absolute path (forbidden)", target) //TODO: discuss
+	}
+
+	if strings.HasPrefix(target, string(os.PathSeparator)) || strings.HasPrefix(target, "/") {
+		return fmt.Errorf("Link target %q is relative to drive root (forbidden)", target) //TODO: discuss
+	}
+
+	resolvedTarget := filepath.Join(link, target)
+	rel, err := filepath.Rel(targetRoot, resolvedTarget)
+	if err != nil {
+		return err
+	}
+
+	//disallow symlinks from climbing out of the target root
+	if strings.HasPrefix(rel, "..") {
+		return fmt.Errorf("Symlink target %q escapes target root %q", target, targetRoot)
+	}
+	//disallow pointing to self from parent ("../self" resolves to "self")
+	if resolvedTarget == targetRoot {
+		return fmt.Errorf("Symlink target %q points to itself %q", target, targetRoot)
+	}
+
+	//TODO: placeholder url
+	err = os.Symlink(target, link)
+	if err != nil {
+		if lErr, ok := err.(*os.LinkError); ok && lErr.Err == windows.ERROR_PRIVILEGE_NOT_HELD {
+			return fmt.Errorf("Symlink creation privileges not held, see: https://github.com/ipfs/go-ipfs/blob/master/docs/windows.md#troubleshooting")
+		}
+		return err
+	}
+	return nil
+}
