Check that resolved path is still in dstdir for export logs#7416
Open
hgreebe wants to merge 1 commit into
Open
Check that resolved path is still in dstdir for export logs#7416hgreebe wants to merge 1 commit into
hgreebe wants to merge 1 commit into
Conversation
gmarciani
reviewed
Jun 1, 2026
| ) | ||
| decompressed_path = os.path.realpath(decompressed_path) | ||
| if not decompressed_path.startswith(os.path.realpath(destdir) + os.sep): | ||
| LOGGER.warning("Skipping unsafe S3 key (path traversal detected): %s", archive_object.key) |
Contributor
There was a problem hiding this comment.
"Path traversal" may be a bit cryptic/not-actionable for the end user. I suggest to make the message more explicit by mentioning the decompressed path and the destination path that it is escaping.
Also, I suggest to log this as an error because:
- the effect is that the export does not complete, which is a pretty bad outcome for the user
- the reason why it does not occur is related to a security issue
| decompressed_path = decompressed_path.replace( | ||
| r"{unwanted_path_segment}{sep}".format(unwanted_path_segment=prefix, sep=os.path.sep), "" | ||
| ) | ||
| decompressed_path = os.path.realpath(decompressed_path) |
Contributor
There was a problem hiding this comment.
[Testing] Can we cover this change with a unit test focused on provind the defense against the attack scenairo?
| r"{unwanted_path_segment}{sep}".format(unwanted_path_segment=prefix, sep=os.path.sep), "" | ||
| ) | ||
| decompressed_path = os.path.realpath(decompressed_path) | ||
| if not decompressed_path.startswith(os.path.realpath(destdir) + os.sep): |
Contributor
There was a problem hiding this comment.
What if destdir is passed by the user already with a trailing slash, e.g. /my/destination/dir/ ?
In that case even a legitimate decompressed path could fail the check.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of changes
Tests
pcluster export-cluster-logsPlease review the guidelines for contributing and Pull Request Instructions.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.