Add path checking for relative/escaped tar filenames in the ansible-galaxy command

10 years ago · f8845af195
parent a45c3b84f3
commit f8845af195
1 changed files with 10 additions and 2 deletions
--- a/bin/ansible-galaxy
+++ b/bin/ansible-galaxy
@ -445,6 +445,7 @@ def install_role(role_name, role_version, role_filename, options):
        # verify the role's meta file
        meta_file = None
        members = role_tar_file.getmembers()
+        # next find the metadata file
        for member in members:
            if "/meta/main.yml" in member.name:
                meta_file = member
@ -484,9 +485,16 @@ def install_role(role_name, role_version, role_filename, options):

            # now we do the actual extraction to the role_path
            for member in members:
-                # we only extract files
+                # we only extract files, and remove any relative path
+                # bits that might be in the file for security purposes
+                # and drop the leading directory, as mentioned above
                if member.isreg():
-                    member.name = "/".join(member.name.split("/")[1:])
+                    parts = member.name.split("/")[1:]
+                    final_parts = []
+                    for part in parts:
+                        if part != '..' and '~' not in part and '$' not in part:
+                            final_parts.append(part)
+                    member.name = os.path.join(*final_parts)
                    role_tar_file.extract(member, role_path)

            # write out the install info file for later use