From ad3241929ea00569c74505ed002208ce360c667e Mon Sep 17 00:00:00 2001
From: Thierry Carrez <thierry@openstack.org>
Date: Thu, 1 Dec 2011 17:54:16 +0100
Subject: Sanitize EC2 manifests and image tarballs

Prevent potential directory traversal with malicious EC2 image tarballs,
by making sure the tarfile is safe before unpacking it. Fixes bug 894755

Prevent potential directory traversal with malicious file names in
EC2 image manifests. Fixes bug 885167

Change-Id: If6109047307bd6e654ee9d1254f0d7f31cf741c1
---
 nova/image/s3.py            |  13 ++++++++++++-
 nova/tests/image/abs.tar.gz | Bin 0 -> 153 bytes
 nova/tests/image/rel.tar.gz | Bin 0 -> 165 bytes
 nova/tests/image/test_s3.py |  10 ++++++++++
 4 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 nova/tests/image/abs.tar.gz
 create mode 100644 nova/tests/image/rel.tar.gz

(limited to 'nova')

diff --git a/nova/image/s3.py b/nova/image/s3.py
index ea0882d39..46a940a69 100644
--- a/nova/image/s3.py
+++ b/nova/image/s3.py
@@ -155,7 +155,7 @@ class S3ImageService(object):
     @staticmethod
     def _download_file(bucket, filename, local_dir):
         key = bucket.get_key(filename)
-        local_filename = os.path.join(local_dir, filename)
+        local_filename = os.path.join(local_dir, os.path.basename(filename))
         key.get_contents_to_filename(local_filename)
         return local_filename
 
@@ -387,8 +387,19 @@ class S3ImageService(object):
                                     {'image_file': encrypted_filename,
                                      'err': err})
 
+    @staticmethod
+    def _test_for_malicious_tarball(path, filename):
+        """Raises exception if extracting tarball would escape extract path"""
+        tar_file = tarfile.open(filename, 'r|gz')
+        for n in tar_file.getnames():
+            if not os.path.abspath(os.path.join(path, n)).startswith(path):
+                tar_file.close()
+                raise exception.Error(_('Unsafe filenames in image'))
+        tar_file.close()
+
     @staticmethod
     def _untarzip_image(path, filename):
+        S3ImageService._test_for_malicious_tarball(path, filename)
         tar_file = tarfile.open(filename, 'r|gz')
         tar_file.extractall(path)
         image_file = tar_file.getnames()[0]
diff --git a/nova/tests/image/abs.tar.gz b/nova/tests/image/abs.tar.gz
new file mode 100644
index 000000000..4d3950734
Binary files /dev/null and b/nova/tests/image/abs.tar.gz differ
diff --git a/nova/tests/image/rel.tar.gz b/nova/tests/image/rel.tar.gz
new file mode 100644
index 000000000..b54f55aa7
Binary files /dev/null and b/nova/tests/image/rel.tar.gz differ
diff --git a/nova/tests/image/test_s3.py b/nova/tests/image/test_s3.py
index 02f66fce1..2a9d279f4 100644
--- a/nova/tests/image/test_s3.py
+++ b/nova/tests/image/test_s3.py
@@ -15,6 +15,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import os
+
 from nova import context
 import nova.db.api
 from nova import exception
@@ -130,3 +132,11 @@ class TestS3ImageService(test.TestCase):
             {'device_name': '/dev/sdb0',
              'no_device': True}]
         self.assertEqual(block_device_mapping, expected_bdm)
+
+    def test_s3_malicious_tarballs(self):
+        self.assertRaises(exception.Error,
+            self.image_service._test_for_malicious_tarball,
+            "/unused", os.path.join(os.path.dirname(__file__), 'abs.tar.gz'))
+        self.assertRaises(exception.Error,
+            self.image_service._test_for_malicious_tarball,
+            "/unused", os.path.join(os.path.dirname(__file__), 'rel.tar.gz'))
-- 
cgit