ECOPROJECT-4719 | fix: Prevent symlink-based path traversal in VDDK tarball extraction#256
Conversation
AvielSegev
requested review from
ronenav and
tupyy
and removed request for
a team
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughThis PR hardens tar.gz extraction security by adding symlink-escape detection to ChangesSymlink Escape Detection
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
AvielSegev
force-pushed
the
fix/ECOPROJECT-4719-vddk-symlink-path-traversal
branch
3 times, most recently
from
f54d7dc to
ef99c9b
Compare
|
/approve |
…arball extraction Resolves CVE vulnerability where chained symlinks could write files outside the extraction directory. An attacker could craft a tarball with: 1. a/x → .. (symlink passes lexical validation) 2. a/x/evil.sh (follows symlink, writes to ../evil.sh outside destDir) This enables arbitrary file write as UID 1001, allowing: - Config file overwrites in /var/lib/agent/ - Persistent code execution via /app/.cache - Exfiltration of vCenter admin credentials Fix: Before creating files/directories, resolve parent path symlinks with filepath.EvalSymlinks and verify the resolved path remains inside destDir. Legitimate VDDK .so version symlinks are still supported. Signed-off-by: Aviel Segev <asegev@redhat.com>
AvielSegev
force-pushed
the
fix/ECOPROJECT-4719-vddk-symlink-path-traversal
branch
from
ef99c9b to
08de5b2
Compare
| // to prevent chained symlink attacks (e.g., a/x -> .., then a/x/evil) | ||
| if header.Typeflag == tar.TypeDir || header.Typeflag == tar.TypeReg || header.Typeflag == tar.TypeSymlink { | ||
| parentDir := filepath.Dir(targetPath) | ||
| if parentDir != destDir { |
There was a problem hiding this comment.
do we need to clean these directories from slashes?
There was a problem hiding this comment.
maybe with this: https://pkg.go.dev/path/filepath#Clean
There was a problem hiding this comment.
If you scroll up a bit, you will see:
targetPath := filepath.Clean(filepath.Join(destDir, header.Name))
and parentDir := filepath.Dir(targetPath)
Regarding destDir, expected from the caller to pass clean path.
|
/lgtm |
can you please approve the PR using the regular |
3 participants
Summary
Security Impact
Severity: High - Unauthenticated LAN-adjacent arbitrary file write as UID 1001
Vulnerability Details
The
PUT /inspector/vddkendpoint extracts gzip'd tarballs usingextractTarGz(). The existing path traversal protection used lexical checks (filepath.Clean+HasPrefix) that don't resolve symlinks already on disk.Attack scenario:
a/x → ..(passes lexical validation)a/x/evil.shwhich follows the live symlinkdest/../evil.sh(outside destDir)Real impact:
/var/lib/agent/config.json(config manipulation)/app/.cache/malicious.py(persistent code execution)Fix Implementation
Before creating files/directories, resolve parent directory symlinks with
filepath.EvalSymlinksand verify the resolved path is still insidedestDir. This prevents the attack while maintaining support for legitimate VDDK internal symlinks (e.g.,libvixDiskLib.so → libvixDiskLib.so.8.0.3).Summary by CodeRabbit
Bug Fixes
Tests