Skip to content

Reject TAR links from untrusted archives#5365

Open
M0nd0R wants to merge 1 commit into
google:masterfrom
M0nd0R:agent/reject-unsafe-tar-links
Open

Reject TAR links from untrusted archives#5365
M0nd0R wants to merge 1 commit into
google:masterfrom
M0nd0R:agent/reject-unsafe-tar-links

Conversation

@M0nd0R

@M0nd0R M0nd0R commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Reject symbolic-link and hard-link TAR members when extracting an untrusted archive.
  • Preserve link extraction for callers that explicitly mark an archive trusted.
  • Add regression tests for untrusted symbolic and hard links.

Root cause

The path-traversal guard checked a member name but did not examine the TAR member type. A safe-looking member name could therefore create a link whose target resolved outside the extraction directory.

Impact

This prevents untrusted archive consumers, including bundled testcase processing, from later following an extracted TAR link when reading a member path.

Closes #5364

Testing

  • PYTHONPATH=src python3 focused unittest run for the two new TAR-link regressions (pass).
  • The full archive test module was not runnable in this host environment because it uses Python 3.14 without the project Google dependencies; existing tests that emit error logs fail before reaching the assertions.

@google-cla

google-cla Bot commented Jul 15, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@M0nd0R M0nd0R force-pushed the agent/reject-unsafe-tar-links branch from 111b538 to 9bcb63c Compare July 15, 2026 01:14
@M0nd0R M0nd0R marked this pull request as ready for review July 15, 2026 01:19
@M0nd0R M0nd0R requested a review from a team as a code owner July 15, 2026 01:19
@M0nd0R M0nd0R force-pushed the agent/reject-unsafe-tar-links branch from 9bcb63c to 6aabbfc Compare July 15, 2026 01:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Reject symbolic and hard links in untrusted TAR archives

1 participant