Insecure TAR Archive Extraction
Description
Insecure TAR archive extraction can result in arbitrary path overwrite and can lead to code injection. This occurs when the extraction process does not properly limit the pathname to a restricted directory, allowing for path traversal attacks.
Examples
Insecure Code
javascript
const tar = require('tar-stream');
const extract = tar.extract();
extract.on('entry', function(header, stream, callback) {
const writeFile = fs.createWriteStream(header.name);
stream.pipe(writeFile);
stream.on('end', callback);
});Secure Code
javascript
const tar = require('tar-stream');
const extract = tar.extract();
const path = require('path');
const fs = require('fs');
extract.on('entry', function(header, stream, callback) {
const filename = path.basename(header.name);
const writeFile = fs.createWriteStream(path.join('extracted', filename));
stream.pipe(writeFile);
stream.on('end', callback);
});Remediation
Validate and sanitize the filenames within the TAR archive before extraction to prevent path traversal. Use methods like `path.join()` and `path.basename()` to ensure the file paths are correctly resolved within the intended directory.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0421 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-22 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Path Traversal, TAR Archive |
| OWASP | A5:2017-Broken Access Control, A01:2021-Broken Access Control |