Pnac

[milan-zededa]

Description

Provide a clear and concise description of the changes in this PR and
explain why they are necessary.

If the PR contains only one commit, you will see the commit message above:
fill free to use it under the description section here, if it is good enough.

For Backport PRs, a full description is optional, but please clearly state
the original PR number(s). Use the #{NUMBER} format for that, it makes it easier
to handle with the scripts later. For example:

Backport of lf-edge#1234, lf-edge#5678, #91011

Title of a backport PR must also follow the following format:

"[x.y-stable] Original PR title".

where x.y-stable is the name of the target stable branch, and
Original PR title is the title of the original PR.

For example, for a PR that backports a PR with title Fix the nasty bug to
branch 13.4-stable the title should be:
[13.4-stable] Fix the nasty bug.

PR dependencies

List all dependencies of this PR (when applicable, otherwise remove this
section).

How to test and validate this PR

Please describe how the changes in this PR can be validated or verified. For
example:

• If your PR fixes a bug, outline the steps to confirm the issue is resolved.
• If your PR introduces a new feature, explain how to test and validate it.

This will be used

1. to provide test scenarios for the QA team
2. by a reviewer to validate the changes in this PR.

The first is especially important, so, please make sure to provide as much
detail as possible.

If it's covered by an automated test, please mention it here.

Changelog notes

Text in this section will be used to generate the changelog entry for
release notes. The consumers of this are end users, not developers.
So, provide a clear and short description of what is changed in the PR from
the end user perspective. If it changes only tooling or some internal
implementation, put a note like "No user-facing changes" or "None".

PR Backports

For all current LTS branches, please state explicitly if this PR should be
backported or not. This section is used by our scripts to track the backports,
so, please, do not omit it.

Here is the list of current LTS branches (it should be always up to date):

• 16.0-stable
• 14.5-stable
• 13.4-stable

For example, if this PR fixes a bug in a feature that was introduced in 14.5,
you can write:

- 16.0-stable: To be backported.
- 14.5-stable: No, as the feature is not available there.
- 13.4-stable: No, as the feature is not available there.

Also, to the PRs that should be backported into any stable branch, please
add a label stable.

Checklist

• I've provided a proper description
• I've added the proper documentation
• I've tested my PR on amd64 device
• I've tested my PR on arm64 device
• I've written the test verification instructions
• I've set the proper labels to this PR

For backport PRs (remove it if it's not a backport):

• I've added a reference link to the original PR
• PR's title follows the template

And the last but not least:

• I've checked the boxes above, or I've provided a good reason why I didn't
  check them.

Please, check the boxes above after submitting the PR in interactive mode.

In general, to fix Zip Slip–style issues, you must ensure that paths derived from archive entries cannot escape a designated extraction root. This is typically done by (1) normalizing the archive entry path, (2) rejecting any path that is absolute, contains .. path elements, or otherwise resolves outside the intended base directory, and (3) only passing validated, safe paths to filesystem operations like os.Mkdir and os.Create.

For this code, the simplest and least invasive fix is to update resolvePath so that it both normalizes and validates the input path and returns an error if it detects traversal or an absolute path. Since all uses of header.Name flow through resolvePath, tightening its behavior will secure every filesystem operation using newPath. A robust approach is:

• Convert the incoming curPath (e.g., header.Name) to a slash‑normalized form and strip any leading / so that archive entries that start at the filesystem root are rejected or made relative.
• Use filepath.Clean on the path after replacing the matched Location prefix with Destination, and explicitly reject any path that contains .. path components or that is absolute.
• Optionally, if you also want to ensure extraction stays within a well‑defined base directory, derive a base directory from Destination and then verify that the cleaned newPath is still within that base using filepath.Abs and strings.HasPrefix.

Because we cannot alter callers outside this file, the best single change is to modify resolvePath to:

• Return os.ErrNotExist (or another error) if curPath contains .. path elements or attempts to be absolute.
• Only return the mapped newPath after running filepath.Clean and rechecking that it does not contain .. and isn’t absolute.
  This preserves existing semantics for valid paths (they still map Location to Destination) while preventing malicious header.Name values from producing unsafe newPath values. No new imports are needed; filepath and strings are already imported.

In general, the fix is to normalize archive entry paths and ensure they do not escape the intended destination directory before using them in any filesystem operation. That means rejecting paths containing .. path elements, absolute paths, and anything that, after cleaning and joining with destination, does not remain within destination. Symlink targets (Linkname) should be treated similarly if you want to prevent links to arbitrary locations.

The best way to fix this function without changing existing behavior is:

1. Introduce a small helper inside ExtractFromTar that, given an entry path, returns a safe absolute path under destination or an error if the path is unsafe. This helper should:
   • Use filepath.Clean to normalize the entry path.
   • Reject empty, absolute, or traversal paths (those starting with .. or containing .. as a path element).
   • Join the cleaned name with destination, get filepath.Abs for both, and ensure the resulting path has destAbs as its prefix (rel does not start with .. and is not absolute).
2. Replace the simple pathBuilder := func(oldPath string) string { return path.Join(destination, oldPath) } with this validated builder that returns (string, error).
3. Update all uses:
   • For directories and regular files: compute fullPath, err := pathBuilder(header.Name) and use fullPath in MkdirAll, Lstat, Remove, OpenFile, etc. If pathBuilder returns an error, abort extraction with a wrapped error mentioning the entry name.
   • For symlinks: compute linkPath from header.Name as above. For the symlink target, either:
     • Keep current behavior (allow arbitrary targets) but at least keep the link itself within destination by validating only header.Name, or
     • Stricter: also pass header.Linkname through the same validation so links cannot point outside destination. Given the vulnerability class, validating both is safer and still consistent with the idea of keeping extraction confined.
4. Use filepath rather than path for actual OS paths, since this is filesystem-related code.

All changes are within evetest/utils/tar.go, in the ExtractFromTar function region. No new imports are needed, because filepath and strings are already imported.

In general, fixing this requires validating and constraining all paths derived from tar headers before using them on the filesystem, and for symlinks specifically, ensuring that the final resolved target (after following any existing symlinks) remains within the extraction root. That means: (1) prevent absolute paths and .. traversal from escaping destination, and (2) for symlink creation, check that the symlink’s effective target is still under destination using filepath.EvalSymlinks plus a Rel-based check.

For this code, the minimal, behavior-preserving fix is:

1. Introduce a helper isRel(candidate, root string) bool that:

   • Rejects absolute candidate.
   • Resolves candidate relative to root using filepath.EvalSymlinks(filepath.Join(root, candidate)).
   • Computes filepath.Rel(root, resolved) and ensures the result does not start with ...
     This matches the “GOOD” pattern from the background.

2. Use filepath (already imported) instead of path for filesystem paths, since this code works with the local filesystem, not URL paths. In particular:

   • Replace pathBuilder := func(oldPath string) string { return path.Join(destination, oldPath) }
     with filepath.Join.
   • This avoids subtle cross-platform issues and uses the right separator semantics.

3. Before creating a symlink (and for safety also before creating files or directories), ensure that the target path is within destination:

   • Compute dstPath := pathBuilder(header.Name) and verify isRel(header.Name, destination); if not, return an error.
   • For symlinks: verify both the link name and its target:
     • if !isRel(header.Name, destination) || !isRel(header.Linkname, destination) { return error }
       This ensures that neither the symlink itself nor the effective resolved target can escape destination.

4. Keep all other logic (removal of old entries, size limiting, mode handling) unchanged.

All required pieces are contained in evetest/utils/tar.go: we only add a small helper function and adjust the ExtractFromTar implementation to use it and to use filepath.Join instead of path.Join. No new imports are needed because filepath and strings are already imported.

In general, to fix this class of issues you must ensure that any filesystem path derived from archive headers is validated before use. For symlinks, both the path of the link itself and the link target must be checked. This validation should be done on resolved paths (using filepath.EvalSymlinks or equivalent) to account for any pre‑existing symlinks inside the extraction directory. Only if the fully resolved paths are still within the intended extraction root should the link be created.

For this specific function, we should:

1. Introduce a helper isWithinDestination(candidate, destination string) bool that:
   • Rejects absolute candidate paths.
   • Joins destination and candidate.
   • Calls filepath.EvalSymlinks on the joined path; if that fails, returns false.
   • Uses filepath.Rel from destination to the resolved path and ensures the result does not start with .. (after filepath.Clean).
2. Before creating symlinks in the tar.TypeLink, tar.TypeSymlink case, call this helper on both header.Name (the link path) and header.Linkname (the target). If either fails the check, return an error instead of creating the symlink.
3. When calling os.Symlink, use the validated, joined values rather than recomputing them ad hoc, so we don’t accidentally diverge from what we checked.
4. Keep other behavior (directory creation, regular file extraction, decompression limit) unchanged.

All changes are within evetest/utils/tar.go, inside ExtractFromTar. We only need to add the small helper inside that function (or as a nested closure) using existing imports; path/filepath is already imported, so no new dependencies are required.