Python任意文件写保护：Tarbomb

⚠️This code in this post is meant for education purposes ONLY! f you don’t own or have explicit permission to do penetration testing against an application, DO NOT USE THIS CODE⚠️

This️ 这篇文章中的这段代码仅供教育用途！ 如果您不拥有或没有明确许可对应用程序进行渗透测试，请不要使用此代码 ⚠️

什么是炸弹？ (What is a Tarbomb?)

A tarbomb can actually be a few different things. One common definition is similar to the XML bomb we looked at previously which expands from a small file into a very large object in memory, in this case the tar archive contains many, many files which flood the file system when extracted. However, we’ll actually be looking at an alternative type of tarbomb which can be a bit more malicious rather than just annoying.

实际上，炸弹可能是几件不同的事情。 一个通用的定义类似于我们之前看到的XML炸弹 ，该炸弹从一个小文件扩展到内存中的一个很大的对象，在这种情况下，tar存档包含许多文件，这些文件在提取时会泛滥到文件系统中。 但是，我们实际上将在寻找另一种类型的Tarbomb，它可能更具恶意，而不仅仅是令人讨厌。

Our tarbomb will will be constructed by adding files to the tarballs which are outside of the current directory, by utilizing relative paths. There are also variants of this attack which use absolute paths or symlinks to accomplish the same goal, which is file creation/overwrite in a directory they should not have access to.

我们的tarbomb将通过使用相对路径将文件添加到当前目录之外的tarball中来构建。 该攻击还有多种变体，它们使用绝对路径或符号链接来实现相同的目标，即在他们不应该访问的目录中创建/覆盖文件。

As an example of how this could work, imagine you’re on your MacBook trying to open a file you just downloaded from your email, accounts_2020_06.tar.gz. From your downloads folder, you would expect the archive to be extracted into a new folder named accounts_2020_06. However, what if the archive contained a file with the path ../.bash_profile and contained a modified version of a bash profile that opened a backdoor on your system? If taken literally, this malicious file would overwrite your valid bash profile and you wouldn’t even know it.

由于这是如何工作的一个例子，假设你对你的MacBook试图打开刚才从您的电子邮件，accounts_2020_06.tar.gz下载的文件。 从下载文件夹中，您希望将归档文件提取到名为accounts_2020_06的新文件夹中。 但是，如果归档文件包含路径为../.bash_profile的文件并包含bash配置文件的修改版本，该文件在您的系统上打开了后门，该怎么办？ 如果从字面上看，此恶意文件将覆盖您的有效bash配置文件，您甚至不知道它。

Luckily, the macOS archive utility and many other decompression tools check for these scenarios. However, not all do, case in point — tarfile, part of the python standard library, is vulnerable to this type of attack when used out of the box.

幸运的是，macOS存档实用程序和许多其他解压缩工具会检查这些情况。 但是，并非所有情况都如此(例如python标准库的一部分tarfile) ，即使是开箱即用，也容易受到这种类型的攻击 。

While most major zip and tar compression libraries have patched this vulnerability since Synk did additional research and publicized Zip Slip in 2018, I have to assume that there are still many modern and legacy libraries and products that are vulnerable to this class of vulnerability.

自从Synk 在2018年进行更多研究并公布Zip Slip以来，大多数主要的zip和tar压缩库都已修补此漏洞，但我必须假设仍有许多现代和旧版库和产品易受此类漏洞的影响。

创建一个炸弹 (Creating a Tarbomb)

Creating a tarbomb isn’t very difficult. See the code example below for a simple tool I put together to quickly create tarbombs for testing.

创建一个炸弹并不是很难。 请参阅下面的代码示例，了解我组合在一起的一个简单工具，可以快速创建用于测试的炸弹。

触发炸弹 (Triggering the Tarbomb)

As mentioned earlier, python’s tarfile module is vulnerable to this weakness. To trigger the vulnerability you just need to invoke the extractall method on a malicious tarball.

如前所述，python的tarfile模块容易受到此漏洞的影响。 要触发此漏洞，您只需要在恶意的tarball上调用extractall方法。

保护 (Protection)

I couldn’t find any reliable workarounds for this safe extraction after some light googling, so I made my own drop-in replacement library for tarfile. My solution, tarsafe, actually just subclasses TarFile and adds some safety checks.

经过一番谷歌搜索之后，我找不到用于此安全提取的任何可靠的解决方法，因此我为tarfile创建了自己的tarfile替换库。 我的解决方案tarsafe实际上只是将TarFile子类TarFile并添加了一些安全检查。

Tarsafe can be used in exactly the same way as tarfile, but with added protections in extractall against not just path traversal via relative path, but also symlinks/links.

Tarsafe可以在完全相同的方式为tar文件中使用，但在加入保护extractall通过相对路径对不只是路径遍历，而且符号链接/链接。

结论 (Conclusion)

I hadn’t planned to write this post — in fact I actually stumbled on this vulnerability a few weeks ago in the wild and thought I had discovered a new vulnerability in tarfile… while I did discover a vulnerability, it unfortunately wasn’t a new one. My hope is that this post will help raise awareness about tarfile and the dangers of handling suspect files without safety checks. Happy coding.

我没打算写这篇文章—实际上，几周前我偶然在野外偶然发现了此漏洞，并以为我在tarfile中发现了一个新漏洞……虽然我确实发现了一个漏洞，但它并不是一个新漏洞。之一。 我的希望是，这篇文章将有助于提高人们对tarfile以及不进行安全检查而处理可疑文件的危险性的认识。 快乐的编码。

翻译自: https://medium.com/ochrona/python-path-traversal-prevention-the-tarbomb-5be58f06dd70