download_from_google_storage: allow normal files with ..

Although we want to prevent dfgs from untar'ing files to a parent or sibling of its target directory, normal files that just happen to have ".." in their name (i.e. not preceding a path separator) are okay. R=hinoka Bug: 807286 Change-Id: Ibdc2c3615c4778ef66abceb532a4f671fbdab8ef Reviewed-on: https://chromium-review.googlesource.com/912430 Reviewed-by: Ryan Tseng <hinoka@chromium.org> Commit-Queue: Aaron Gable <agable@chromium.org>
2026-01-11 18:51:29 +00:00 · 2018-02-12 09:55:09 -08:00
parent 705e51807f
commit 22b540d065
2 changed files with 13 additions and 2 deletions
--- a/download_from_google_storage.py
+++ b/download_from_google_storage.py
@@ -209,7 +209,9 @@ def _validate_tar_file(tar, prefix):
    """Returns false if the tarinfo is something we explicitly forbid."""
    if tarinfo.issym() or tarinfo.islnk():
      return False
-    if '..' in tarinfo.name or not tarinfo.name.startswith(prefix):
+    if ('../' in tarinfo.name or
+        '..\\' in tarinfo.name or
+        not tarinfo.name.startswith(prefix)):
      return False
    return True
  return all(map(_validate, tar.getmembers()))
--- a/tests/download_from_google_storage_unittest.py
+++ b/tests/download_from_google_storage_unittest.py
@@ -128,7 +128,7 @@ class GstoolsUnitTests(unittest.TestCase):
        self.assertFalse(
            download_from_google_storage._validate_tar_file(tar,
                                                            tar_dir_outside))
-      # Test no ..
+      # Test no ../
      tar_with_dotdot = 'with_dotdot.tar.gz'
      dotdot_file = os.path.join(tar_dir, '..', tar_dir, 'lorem_ipsum.txt')
      with tarfile.open(tar_with_dotdot, 'w:gz') as tar:
@@ -136,6 +136,15 @@ class GstoolsUnitTests(unittest.TestCase):
        self.assertFalse(
            download_from_google_storage._validate_tar_file(tar,
                                                            tar_dir))
+      # Test normal file with .. in name okay
+      tar_with_hidden = 'with_normal_dotdot.tar.gz'
+      hidden_file = os.path.join(tar_dir, '..hidden_file.txt')
+      shutil.copyfile(lorem_ipsum, hidden_file)
+      with tarfile.open(tar_with_hidden, 'w:gz') as tar:
+        tar.add(hidden_file)
+        self.assertTrue(
+            download_from_google_storage._validate_tar_file(tar,
+                                                            tar_dir))

  def test_gsutil(self):
    # This will download a real gsutil package from Google Storage.