Skip to content

ECOPROJECT-4719 | fix: Prevent symlink-based path traversal in VDDK tarball extraction #256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AvielSegev merged 1 commit into from
Jun 7, 2026
+101 −0
Merged

ECOPROJECT-4719 | fix: Prevent symlink-based path traversal in VDDK tarball extraction #256

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions internal/services/vddk.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,26 @@ func extractTarGz(r io.Reader, destDir string) error {
return fmt.Errorf("illegal file path: %s", targetPath)
}

// ECOPROJECT-4719 | Before creating files/directories, resolve symlinks in the parent path
// to prevent chained symlink attacks (e.g., a/x -> .., then a/x/evil)
if header.Typeflag == tar.TypeDir || header.Typeflag == tar.TypeReg || header.Typeflag == tar.TypeSymlink {
parentDir := filepath.Dir(targetPath)
if parentDir != destDir {

@amalimov amalimov Jun 4, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to clean these directories from slashes?

@amalimov amalimov Jun 4, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe with this: https://pkg.go.dev/path/filepath#Clean

@AvielSegev AvielSegev Jun 4, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you scroll up a bit, you will see:

targetPath := filepath.Clean(filepath.Join(destDir, header.Name))
and parentDir := filepath.Dir(targetPath)

Regarding destDir, expected from the caller to pass clean path.

resolvedParent, err := filepath.EvalSymlinks(parentDir)
if err == nil {
// Parent exists - verify resolved path is still strictly inside destDir.
// If it resolves to destDir itself, that means a symlink has traversed
// back to the root, which indicates an escape attempt.
if filepath.Clean(resolvedParent) == filepath.Clean(destDir) {
return fmt.Errorf("symlink escape detected: %s resolves to %s (root)", parentDir, resolvedParent)
}
if !pathInsideDest(destDir, resolvedParent) {
return fmt.Errorf("symlink escape detected: %s resolves to %s", parentDir, resolvedParent)
}
}
}
}

switch header.Typeflag {
case tar.TypeDir:
// create directory
Expand Down
81 changes: 81 additions & 0 deletions internal/services/vddk_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,87 @@ var _ = Describe("VddkService", func() {
})
})

Describe("Security: Path Traversal Prevention", func() {
It("blocks chained symlink attack", func() {
tarGz := test.BuildTarGz(
test.TarEntry{
Path: "a/x",
LinkTarget: "..",
},
test.TarEntry{
Path: "a/x/evil.sh",
Content: "malicious payload",
},
)
filename := "VMware-vix-disklib-8.0.3-23950268.x86_64.tar.gz"
_, err := srv.Upload(context.Background(), filename, bytes.NewReader(tarGz))
Expect(err).To(HaveOccurred())
Expect(err.Error()).To(ContainSubstring("symlink escape detected"))
})

It("blocks absolute symlink escape", func() {
tarGz := test.BuildTarGz(
test.TarEntry{
Path: "malicious",
LinkTarget: "/etc/passwd",
},
)
filename := "VMware-vix-disklib-8.0.3-23950268.x86_64.tar.gz"
_, err := srv.Upload(context.Background(), filename, bytes.NewReader(tarGz))
Expect(err).To(HaveOccurred())
Expect(err.Error()).To(ContainSubstring("illegal symlink target"))
})

It("blocks relative symlink pointing outside destDir", func() {
tarGz := test.BuildTarGz(
test.TarEntry{
Path: "a/b/c",
LinkTarget: "../../../etc/passwd",
},
)
filename := "VMware-vix-disklib-8.0.3-23950268.x86_64.tar.gz"
_, err := srv.Upload(context.Background(), filename, bytes.NewReader(tarGz))
Expect(err).To(HaveOccurred())
Expect(err.Error()).To(ContainSubstring("illegal symlink target"))
})

It("allows legitimate VDDK internal symlinks", func() {
// VDDK tarballs contain .so version symlinks like libcares.so -> libcares.so.2
tarGz := test.BuildTarGz(
test.TarEntry{
Path: "vmware-vix-disklib-distrib/lib64/libvixDiskLib.so.8.0.3",
Content: "library-content",
},
test.TarEntry{
Path: "vmware-vix-disklib-distrib/lib64/libvixDiskLib.so",
LinkTarget: "libvixDiskLib.so.8.0.3",
},
)
filename := "VMware-vix-disklib-8.0.3-23950268.x86_64.tar.gz"
_, err := srv.Upload(context.Background(), filename, bytes.NewReader(tarGz))
Expect(err).NotTo(HaveOccurred())

// Verify symlink was created correctly
link := filepath.Join(dataDir, "vddk", "vmware-vix-disklib-distrib", "lib64", "libvixDiskLib.so")
target, err := os.Readlink(link)
Expect(err).NotTo(HaveOccurred())
Expect(target).To(Equal("libvixDiskLib.so.8.0.3"))
})

It("blocks directory traversal with clean paths", func() {
tarGz := test.BuildTarGz(
test.TarEntry{
Path: "../../etc/shadow",
Content: "malicious",
},
)
filename := "VMware-vix-disklib-8.0.3-23950268.x86_64.tar.gz"
_, err := srv.Upload(context.Background(), filename, bytes.NewReader(tarGz))
Expect(err).To(HaveOccurred())
Expect(err.Error()).To(ContainSubstring("illegal file path"))
})
})

Describe("extractVersion", func() {
// extractVersion is unexported; we test via Upload with different filenames and tar layouts
It("parses version from VMware-vix-disklib-X.Y.Z-... filename", func() {
Expand Down
Loading