Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File paths of ZIP contents are not sanitized #8731

Closed
SLeitgeb opened this issue Oct 31, 2024 · 8 comments · Fixed by #8732
Closed

File paths of ZIP contents are not sanitized #8731

SLeitgeb opened this issue Oct 31, 2024 · 8 comments · Fixed by #8732
Assignees
@charliermarsh
Labels
security

Comments

@SLeitgeb
Copy link

All files from a package WHL are extracted to the path resolved from the current directory. The ZIP file path is not sanitized first (as suggested in the async_zip package), which could lead to directory traversal attacks, e.g. by a malicious package.

The demo below uses relative filepaths, but this would presumably resolve absolute paths as well (e.g. ~/.cache/uv/archive-v0 + /etc/passwd/etc/passwd).

Tested on Arch Linux with uv 0.4.28, Python 3.10. This should also affect Windows.

An example of the issue using an empty payload file in a parent directory.

touch payload
uv init payload-package
cd payload-package
uv build
cd dist/
zip payload_package-0.1.0-py3-none-any.whl ../../payload
cd ../..
uv init payload-package-importer
cd payload-package-importer
uv add ../payload-package/dist/payload_package-0.1.0-py3-none-any.whl
ls -1 ~/.cache | grep payload

You should observe a payload file created two directories up relative to the directory from which the paths are resolved (should be the $HOME/.config directory).
@charliermarsh
Copy link
Member

Thanks, I'll fix this (though PRs are also welcome).

@charliermarsh charliermarsh self-assigned this Oct 31, 2024
@charliermarsh charliermarsh mentioned this issue Oct 31, 2024
Merged
@BurntSushi
Copy link
Member

@SLeitgeb Can you say more about the threat model you're using here?

@SLeitgeb
Copy link
Author

The scenario that comes to mind involves a malicious package that would get installed as a user dependency. This package doesn't need to be a direct dependency, it could also be a dependency of another package.

The WHL archive of the malicious package could be manipulated to include arbitrary files (SSH keys, binaries, etc.) that uv would then extract. Running uv as a privileged user in a production environment could then be quite bad.

I don't think this scenario is too likely, and the offending packages would be easy to discover, but there could also be other implications I'm not seeing (maybe package sources outside of pypi?).

@BurntSushi
Copy link
Member

I think you also need to stipulate that you've configured uv to never build anything. If you're building sdists, then in that context, arbitrary code can run.

But if you're only installing wheels with --no-build, then yeah, you might have the expectation that builds are isolated from doing these kinds of shenanigans.

@charliermarsh
Copy link
Member

Are you sure the example from the summary works? For local wheels, we use the zip crate, not async_zip.

@SLeitgeb
Copy link
Author

@BurntSushi That seems right. I don't think it's a big issue, just something I wanted you to be aware of.

@SLeitgeb
Copy link
Author

@charliermarsh I tested this several times to be sure, once also with the package installed from a local index, with the same results.

charliermarsh added a commit that referenced this issue Oct 31, 2024
@charliermarsh
Sanitize filenames during zip extraction (#8732)
f326458 
## Summary

Based on the example in `async-zip`:
https://github.com/Majored/rs-async-zip/blob/527bda9d58c1ba1fa973a0faeb68dce91fa4ffe4/examples/file_extraction.rs#L33

Closes: #8731.

## Test Plan

Created https://github.com/astral-sh/sanitize-wheel-test.
@charliermarsh
Copy link
Member

Thanks for catching this @SLeitgeb, appreciate it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@charliermarsh charliermarsh

Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Sanitize filenames during zip extraction astral-sh/uv
3 participants
@BurntSushi @charliermarsh @SLeitgeb