ECOPROJECT-4719 | fix: Prevent symlink-based path traversal in VDDK tarball extraction

Resolves CVE vulnerability where chained symlinks could write files outside
the extraction directory. An attacker could craft a tarball with:
1. a/x → .. (symlink passes lexical validation)
2. a/x/evil.sh (follows symlink, writes to ../evil.sh outside destDir)

This enables arbitrary file write as UID 1001, allowing:
- Config file overwrites in /var/lib/agent/
- Persistent code execution via /app/.cache
- Exfiltration of vCenter admin credentials

Fix: Before creating files/directories, resolve parent path symlinks with
filepath.EvalSymlinks and verify the resolved path remains inside destDir.
Legitimate VDDK .so version symlinks are still supported.

Signed-off-by: Aviel Segev <asegev@redhat.com>

Author: AvielSegev

internal/services/vddk.go

@@ -176,6 +176,26 @@ func extractTarGz(r io.Reader, destDir string) error {
 			return fmt.Errorf("illegal file path: %s", targetPath)
 		}
 
+		// ECOPROJECT-4719 | Before creating files/directories, resolve symlinks in the parent path
+		// to prevent chained symlink attacks (e.g., a/x -> .., then a/x/evil)
+		if header.Typeflag == tar.TypeDir || header.Typeflag == tar.TypeReg || header.Typeflag == tar.TypeSymlink {
+			parentDir := filepath.Dir(targetPath)
+			if parentDir != destDir {
+				resolvedParent, err := filepath.EvalSymlinks(parentDir)
+				if err == nil {
+					// Parent exists - verify resolved path is still strictly inside destDir.
+					// If it resolves to destDir itself, that means a symlink has traversed
+					// back to the root, which indicates an escape attempt.
+					if filepath.Clean(resolvedParent) == filepath.Clean(destDir) {
+						return fmt.Errorf("symlink escape detected: %s resolves to %s (root)", parentDir, resolvedParent)
+					}
+					if !pathInsideDest(destDir, resolvedParent) {
+						return fmt.Errorf("symlink escape detected: %s resolves to %s", parentDir, resolvedParent)
+					}
+				}
+			}
+		}
+
 		switch header.Typeflag {
 		case tar.TypeDir:
 			// create directory

internal/services/vddk_test.go

@@ -260,6 +260,87 @@ var _ = Describe("VddkService", func() {
 		})
 	})
 
+	Describe("Security: Path Traversal Prevention", func() {
+		It("blocks chained symlink attack", func() {
+			tarGz := test.BuildTarGz(
+				test.TarEntry{
+					Path:       "a/x",
+					LinkTarget: "..",
+				},
+				test.TarEntry{
+					Path:    "a/x/evil.sh",
+					Content: "malicious payload",
+				},
+			)
+			filename := "VMware-vix-disklib-8.0.3-23950268.x86_64.tar.gz"
+			_, err := srv.Upload(context.Background(), filename, bytes.NewReader(tarGz))
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("symlink escape detected"))
+		})
+
+		It("blocks absolute symlink escape", func() {
+			tarGz := test.BuildTarGz(
+				test.TarEntry{
+					Path:       "malicious",
+					LinkTarget: "/etc/passwd",
+				},
+			)
+			filename := "VMware-vix-disklib-8.0.3-23950268.x86_64.tar.gz"
+			_, err := srv.Upload(context.Background(), filename, bytes.NewReader(tarGz))
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("illegal symlink target"))
+		})
+
+		It("blocks relative symlink pointing outside destDir", func() {
+			tarGz := test.BuildTarGz(
+				test.TarEntry{
+					Path:       "a/b/c",
+					LinkTarget: "../../../etc/passwd",
+				},
+			)
+			filename := "VMware-vix-disklib-8.0.3-23950268.x86_64.tar.gz"
+			_, err := srv.Upload(context.Background(), filename, bytes.NewReader(tarGz))
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("illegal symlink target"))
+		})
+
+		It("allows legitimate VDDK internal symlinks", func() {
+			// VDDK tarballs contain .so version symlinks like libcares.so -> libcares.so.2
+			tarGz := test.BuildTarGz(
+				test.TarEntry{
+					Path:    "vmware-vix-disklib-distrib/lib64/libvixDiskLib.so.8.0.3",
+					Content: "library-content",
+				},
+				test.TarEntry{
+					Path:       "vmware-vix-disklib-distrib/lib64/libvixDiskLib.so",
+					LinkTarget: "libvixDiskLib.so.8.0.3",
+				},
+			)
+			filename := "VMware-vix-disklib-8.0.3-23950268.x86_64.tar.gz"
+			_, err := srv.Upload(context.Background(), filename, bytes.NewReader(tarGz))
+			Expect(err).NotTo(HaveOccurred())
+
+			// Verify symlink was created correctly
+			link := filepath.Join(dataDir, "vddk", "vmware-vix-disklib-distrib", "lib64", "libvixDiskLib.so")
+			target, err := os.Readlink(link)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(target).To(Equal("libvixDiskLib.so.8.0.3"))
+		})
+
+		It("blocks directory traversal with clean paths", func() {
+			tarGz := test.BuildTarGz(
+				test.TarEntry{
+					Path:    "../../etc/shadow",
+					Content: "malicious",
+				},
+			)
+			filename := "VMware-vix-disklib-8.0.3-23950268.x86_64.tar.gz"
+			_, err := srv.Upload(context.Background(), filename, bytes.NewReader(tarGz))
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("illegal file path"))
+		})
+	})
+
 	Describe("extractVersion", func() {
 		// extractVersion is unexported; we test via Upload with different filenames and tar layouts
 		It("parses version from VMware-vix-disklib-X.Y.Z-... filename", func() {