From 2b4db9383c5136bbfb2d695a90b169a27a738730 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 20 Dec 2024 01:44:48 +0100 Subject: [PATCH] pkg/archive: nosysFileInfo: implement tar.FileInfoNames to prevent lookups commit e9bbc41dd146d692e28660a392b068c9c112f2ad removed our fork of pkg/archive that was in place to mitigate CVE-2019-14271. As part of that change, a nosysFileInfo type was added to prevent tar.FileInfoHeader from looking up user- and group-names. A proposal was pending in go https://go.dev/issue/50102 to define an interface for implementing custom lookup functions to be implemented, and disable go's builtin lookup. That proposal was accepted, and is now implemented in go1.23. Thia patch makes the nosysFileInfo implement the tar.FileInfoNames interface to prevent tar.FileInfoHeader from performing its own lookups. While the mitigation implemented in e9bbc41dd146d692e28660a392b068c9c112f2ad should already prevent this from happening, implementing the interface does not cost us much and is complementary to the existing mitigation. This patch keeps the mitigation added in a316b10dab79d9298b02c7930958ed52e0ccf4e4 in place for any unforeseen other code. Signed-off-by: Sebastiaan van Stijn --- pkg/archive/archive.go | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/pkg/archive/archive.go b/pkg/archive/archive.go index b7eae21328b43..b05780406b0c6 100644 --- a/pkg/archive/archive.go +++ b/pkg/archive/archive.go @@ -472,13 +472,35 @@ func (compression *Compression) Extension() string { return "" } +// assert that we implement [tar.FileInfoNames]. +// +// TODO(thaJeztah): disabled to allow compiling on < go1.23. un-comment once we drop support for older versions of go. +// var _ tar.FileInfoNames = (*nosysFileInfo)(nil) + // nosysFileInfo hides the system-dependent info of the wrapped FileInfo to // prevent tar.FileInfoHeader from introspecting it and potentially calling into // glibc. +// +// It implements [tar.FileInfoNames] to further prevent [tar.FileInfoHeader] +// from performing any lookups on go1.23 and up. see https://go.dev/issue/50102 type nosysFileInfo struct { os.FileInfo } +// Uname stubs out looking up username. It implements [tar.FileInfoNames] +// to prevent [tar.FileInfoHeader] from loading libraries to perform +// username lookups. +func (fi nosysFileInfo) Uname() (string, error) { + return "", nil +} + +// Gname stubs out looking up group-name. It implements [tar.FileInfoNames] +// to prevent [tar.FileInfoHeader] from loading libraries to perform +// username lookups. +func (fi nosysFileInfo) Gname() (string, error) { + return "", nil +} + func (fi nosysFileInfo) Sys() interface{} { // A Sys value of type *tar.Header is safe as it is system-independent. // The tar.FileInfoHeader function copies the fields into the returned