Blog

了解 Python 的 tarfile 模块中的路径遍历错误

October 3, 2022
Laura Verheyde

最近,一个小组 安全研究人员 宣布他们在 Python 的 tar 文件提取功能中发现了一个已有十五年历史的错误。该漏洞于 2007 年首次披露,追踪为 CVE-2007-4559。在 Python 官方文档中添加了一条注释,但错误本身没有修补。

该漏洞可能会影响成千上万的软件项目,但许多人不熟悉情况或如何处理。这就是为什么,在这里 安全代码勇士,我们为您提供了亲自模拟利用此漏洞的机会,以亲眼目睹其影响,并亲身体验这个持续错误的机制,这样您就可以更好地保护您的应用程序!

试试模拟 使命 现在。

漏洞:提取 tar 文件期间的路径遍历

当使用未经审查的用户输入来构造文件路径时,就会发生路径或目录遍历,从而允许攻击者获得访问权限和覆盖文件,甚至执行任意代码。

该漏洞存在于 Python 中 tarfile 模块。tar(磁带存档)文件是一个单一的文件,称为存档。它将多个文件及其元数据打包在一起,通常通过以下方式进行识别 .tar.gz 要么 .tgz 延期。存档中的每个成员都可以用一个来表示 TarInfo 对象,其中包含元数据,例如文件名、修改时间、所有权等。

风险来自于能够再次提取档案。

提取时,每个成员都需要写入路径。此位置是通过将基本路径与文件名连接起来创建的:

来自 Python 的片段 Tarfile.py


创建此路径后,它将传递给 tarfile.extra 要么 tarfile.extall 执行提取的函数:

来自 Python 的片段 Tarfile.py

这里的问题是缺乏对文件名的清理。攻击者可以重命名文件以包含路径遍历字符,例如 点点斜线 (../),这将导致文件遍历出其本应所在的目录并覆盖任意文件。这最终可能导致远程代码执行,而利用的时机已经成熟。

如果您知道如何识别该漏洞,则该漏洞会出现在其他场景中。除了 Python 对 tar 文件的处理外,该漏洞还存在于 提取 zip 文件。你可能用另一个名字熟悉这个,比如 压缩文件漏洞,这已经体现在除了 Python 之外的语言中!

链接到任务 

如何降低风险?

尽管该漏洞已为人所知多年,但Python维护人员仍认为提取功能正在发挥作用 它应该做什么。在这种情况下,有人可能会说 “这是一项功能,不是错误”。不幸的是,开发人员不能总是避免从未知来源提取 tar 或 zip 文件。作为安全开发实践的一部分,他们有责任对不可信的输入进行清理,以防止路径遍历漏洞。

想更多地了解如何使用 Python 编写安全代码和降低风险?

试试我们的 免费的 Python 挑战赛

如果你有兴趣获得更多免费编程指南,请查看 安全代码教练 帮助您掌握安全编码惯例。

标语

Govern AI-driven development before it ships

Measure AI-assisted risk, enforce secure coding policy at commit, and accelerate secure delivery across your SDLC.

book a demo
标语

Explore more blogs

Lorem Issum diam quis eim leboutis ein selerisque lobortis sepitis beelrisque lobortis sepitis celerisque lobortis celeriskue filmentis celeriskue filmentis celeriskue diam

browse all
Case Study
Filter Label
This is some text inside of a div block.

Supercharged Security Awareness: How Tournaments are Inspiring Developers at Erste Group

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Learn More
Case Study
Filter Label
This is some text inside of a div block.

Security as culture: How Blue Prism cultivates world-class secure developers

Learn how Blue Prism, the global leader in intelligent automation for the enterprise, used Secure Code Warrior's agile learning platform to create a security-first culture with their developers, achieve their business goals, and ship secure code at speed

Learn More
Case Study
Filter Label
This is some text inside of a div block.

One Culture of Security: How Sage built their security champions program with agile secure code learning

Discover how Sage enhanced security with a flexible, relationship-focused approach, creating 200+ security champions and achieving measurable risk reduction.

Learn More
Blog
Filter Label
This is some text inside of a div block.

The Future of AI Software Governance Is Built on Strong Partnerships

Discover why Secure Code Warrior is becoming a channel-first company and how trusted partners help organizations adopt AI Software Governance securely and at scale.

Learn More
Blog
Filter Label
This is some text inside of a div block.

Citizen AI by Secure Code Warrior: Build an AI-Ready Workforce

Secure Code Warrior's AI literacy program for non-developer employees.

Learn More
Blog
Filter Label
This is some text inside of a div block.

Why most CISOs are navigating AI adoption blindfolded (and how they can remove it)

Today, Secure Code Warrior issued an all-new white paper covering a prescriptive, directional AI adoption model that security leaders can use to identify their adoption stage and make real progress in bringing the AI security risks within their organization under control.

Learn More

Secure AI-driven development before it ships

See developer risk, enforce policy, and prevent vulnerabilities across your software development lifecycle.

Book a demo