-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Report extraction problems from handlers/extractors #633
Conversation
b3d0b91
to
3b5b2b3
Compare
I like the approach of Are there extractors other than tar, romfs, yaffs, ipkg, and hdr that could benefit from it ? I'll do a deeper pass for review today. |
Thanks, I hoped it will be useful later as well :) This was the full evolution of the class name: I did not really like the I would prefer to keep the current Most of the |
2a749b3
to
dfa6097
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we all agree on the API of Sandbox
, can you update the documentation as part of this PR ?
I would put it under "Writing extractors" in docs/development.md
I like the Sandbox very much, not sure though about the name. The other thing I was wondering about, what if we pass the Sandbox instance to the extractor instead of just the outdir? It would require api change, but might decrease boilerplate (not sure about CommandExtractor). Also I was wondering if for the Sandbox apis do we want to pass absolute path or just a path within the sandbox? Maybe it would be easier if the extractor logic would not need to know about the outdir |
7931e03
to
55eb73a
Compare
I was not sure about this in the beginning since Of course
We could do things so that all paths provided to the Sandbox APIs are considered relative to the extraction directory. If an absolute path is provided, its root should be considered to be the outdir. What do you think ? |
Just a side note, don't mind me. In the future, this Sandbox might be the place where we can sandbox external extractors using Landlock (#597). Instead of a general landlock rule, we could set one limited to outdir for the specific extraction command we run. |
Thanks for the comments @qkaiser @martonilles and @vlaci.
These proposals/ideas are nice, and will be/should be implemented later:
|
3d8052a
to
38764d0
Compare
38764d0
to
e4da329
Compare
@e3krisztian would be nice to follow atomic commit message structure using |
e4da329
to
afe5a25
Compare
128610f
to
3138c8b
Compare
3138c8b
to
6eb481f
Compare
…late in Extractors For every handler every file system operation needs to be checked for potential path traversal, attempt to create devices, and the ones that could be problematic should be prevented and reported. This was managed so far individually in ever handler, which resulted in reporting the same problems somewhat differently and allowed for potential bugs in implementation. The FileSystem helper class introduced here should take care of these repetitive tasks and hopefully could make for more succinct, yet safer Handler/Extractor implementations.
In the newer version absolute symlinks are no longer dropped as path traversals, but changed to point within the extraction directory.
6eb481f
to
37c00fd
Compare
Main changes are:
Extractor.extract
can optionally return anExtractionResult
which has areports
attribute.Sandbox
, which prevents out of extraction directory file system object creation/reference and records any such attemptstar
,romfs
,yaffs
,ipkg
,hdr
, with most of them converted to useSandbox