Add path checking for relative/escaped tar filenames in the ansible-galaxy command

f8845af1 · James Cammarata · a45c3b84 · f8845af1
Commit f8845af1 authored Aug 05, 2014 by James Cammarata
Show whitespace changes
Inline Side-by-side

Showing with 10 additions and 2 deletions

bin/ansible-galaxy
+10 -2

No files found.
--- a/bin/ansible-galaxy
+++ b/bin/ansible-galaxy
@@ -445,6 +445,7 @@ def install_role(role_name, role_version, role_filename, options):
        # verify the role's meta file
        meta_file = None
        members = role_tar_file.getmembers()
+        # next find the metadata file
        for member in members:
            if "/meta/main.yml" in member.name:
                meta_file = member
@@ -484,9 +485,16 @@ def install_role(role_name, role_version, role_filename, options):

            # now we do the actual extraction to the role_path
            for member in members:
-                # we only extract files
+                # we only extract files, and remove any relative path
+                # bits that might be in the file for security purposes
+                # and drop the leading directory, as mentioned above
                if member.isreg():
-                    member.name = "/".join(member.name.split("/")[1:])
+                    parts = member.name.split("/")[1:]
+                    final_parts = []
+                    for part in parts:
+                        if part != '..' and '~' not in part and '$' not in part:
+                            final_parts.append(part)
+                    member.name = os.path.join(*final_parts)
                    role_tar_file.extract(member, role_path)

            # write out the install info file for later use