Conversation
|
This pull request contains a TOCTOU symlink vulnerability in CArchiveExtractCallback::GetStream (ext/lzma_sdk_wrapper/archive_callbacks.cpp lines 126–137) where a non-atomic check-delete-create sequence when handling existing files allows a local attacker with write access to the extraction directory to replace the target with a symlink and cause arbitrary file overwrite.
TOCTOU Symlink Attack during Extraction in
|
| Vulnerability | TOCTOU Symlink Attack during Extraction |
|---|---|
| Description | The C++ extraction implementation in CArchiveExtractCallback::GetStream uses a non-atomic sequence (Check-Delete-Create) to handle existing files, which creates a Time-of-Check to Time-of-Use (TOCTOU) race condition. A local attacker with write access to the extraction directory could exploit this window by replacing the target file with a symbolic link pointing to an arbitrary location on the filesystem, leading to an arbitrary file overwrite. |
ruby_lzma_gem/ext/lzma_sdk_wrapper/archive_callbacks.cpp
Lines 126 to 137 in 77449a1
All finding details can be found in the DryRun Security Dashboard.
jkorany
force-pushed
the
writer_support
branch
from
e71f5a8 to
9f4e331
Compare
Features: - Archive Writer class for creating 7z archives - Support for adding files, directories, and in-memory data - Password encryption support - Configurable compression options (method, level, solid mode) Security: - Zip Slip prevention in Writer (path sanitization) - Archive bomb protection in Reader (size/ratio limits) - Configurable extraction limits: - max_entry_size (default: 1GB) - max_total_size (default: 10GB) - max_compression_ratio (default: 1000:1) - max_size_for_unknown_ratio (default: 10MB) - Path traversal protection during extraction Tests: - Comprehensive Writer specs - Security tests for both Reader and Writer - Docker-verified archive bomb protection
jkorany
force-pushed
the
writer_support
branch
from
9f4e331 to
77449a1
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implementing the minimum needed support for creating an archive via the LZMA SDK